Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A security vulnerability has been detected in Devs Palace ERP Online up to 4.0.0. The impacted element is an unknown function of the file /inventory/supplier-save. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Stored cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged authenticated users to inject malicious scripts via the /inventory/supplier-save endpoint, affecting data integrity and confidentiality of other users viewing the supplier data. The vulnerability requires user interaction (UI:P) and high-level privileges (PR:H), limiting its exploitation scope; however, publicly available exploit code exists and the vendor has not responded to disclosure.
Technical ContextAI
The vulnerability exists in the /inventory/supplier-save functionality of Devs Palace ERP Online, a web-based enterprise resource planning system. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates that user-supplied input is not properly sanitized or encoded before being reflected or stored in dynamically generated web content. The affected CPE (cpe:2.3:a:devs_palace:erp_online:*:*:*:*:*:*:*:*) encompasses all versions of ERP Online up to and including 4.0.0. An attacker with high-level administrative privileges can inject JavaScript payloads through the supplier save form that will execute in the context of other users' browsers when they access supplier data, typically leading to session hijacking, credential theft, or unauthorized modifications.
RemediationAI
Upgrade to a patched version if the vendor releases one; however, no vendor-released patch has been identified at the time of analysis and the vendor has not responded to disclosure. Implement input validation and output encoding on the /inventory/supplier-save endpoint to sanitize and escape all user inputs, particularly in supplier name, contact, and description fields. Deploy a Web Application Firewall (WAF) with XSS detection rules to block payloads containing script tags, event handlers, and JavaScript: protocol URIs. Restrict access to the /inventory/supplier-save endpoint to a minimal set of trusted administrators using network-level access controls or IP whitelisting. Enable Content Security Policy (CSP) headers on all ERP Online pages to prevent inline script execution, mitigating the impact of stored XSS even if payloads are stored. Audit existing supplier records for injected scripts and remove any suspicious content. These controls trade off some administrative convenience for substantially reduced XSS attack surface until vendor patching is available.
More in Erp Online
View allCross-site scripting (XSS) vulnerability in Devs Palace ERP Online up to version 4.0.0 allows authenticated high-privile
Reflected cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged authenticated
Cross-site scripting (XSS) vulnerability in Devs Palace ERP Online versions up to 4.0.0 allows authenticated users with
Stored cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged users to inject m
Cross-site scripting (XSS) in erponline.xyz ERP Online up to version 4.0.0 allows authenticated attackers with high priv
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28955
GHSA-32mp-3hhq-7ffx