Skip to main content

Devs Palace ERP Online CVE-2026-8219

| EUVDEUVD-2026-28955 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-10 VulDB GHSA-32mp-3hhq-7ffx
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 10, 2026 - 02:29 vuln.today
CVSS changed
May 10, 2026 - 02:22 NVD
2.4 (LOW) 1.9 (LOW)
CVE Published
May 10, 2026 - 01:45 nvd
LOW 1.9

DescriptionCVE.org

A security vulnerability has been detected in Devs Palace ERP Online up to 4.0.0. The impacted element is an unknown function of the file /inventory/supplier-save. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stored cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged authenticated users to inject malicious scripts via the /inventory/supplier-save endpoint, affecting data integrity and confidentiality of other users viewing the supplier data. The vulnerability requires user interaction (UI:P) and high-level privileges (PR:H), limiting its exploitation scope; however, publicly available exploit code exists and the vendor has not responded to disclosure.

Technical ContextAI

The vulnerability exists in the /inventory/supplier-save functionality of Devs Palace ERP Online, a web-based enterprise resource planning system. CWE-79 (Improper Neutralization of Input During Web Page Generation) indicates that user-supplied input is not properly sanitized or encoded before being reflected or stored in dynamically generated web content. The affected CPE (cpe:2.3:a:devs_palace:erp_online:*:*:*:*:*:*:*:*) encompasses all versions of ERP Online up to and including 4.0.0. An attacker with high-level administrative privileges can inject JavaScript payloads through the supplier save form that will execute in the context of other users' browsers when they access supplier data, typically leading to session hijacking, credential theft, or unauthorized modifications.

RemediationAI

Upgrade to a patched version if the vendor releases one; however, no vendor-released patch has been identified at the time of analysis and the vendor has not responded to disclosure. Implement input validation and output encoding on the /inventory/supplier-save endpoint to sanitize and escape all user inputs, particularly in supplier name, contact, and description fields. Deploy a Web Application Firewall (WAF) with XSS detection rules to block payloads containing script tags, event handlers, and JavaScript: protocol URIs. Restrict access to the /inventory/supplier-save endpoint to a minimal set of trusted administrators using network-level access controls or IP whitelisting. Enable Content Security Policy (CSP) headers on all ERP Online pages to prevent inline script execution, mitigating the impact of stored XSS even if payloads are stored. Audit existing supplier records for injected scripts and remove any suspicious content. These controls trade off some administrative convenience for substantially reduced XSS attack surface until vendor patching is available.

Share

CVE-2026-8219 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy