Skip to main content

Devs Palace ERP Online CVE-2026-8220

| EUVDEUVD-2026-28957 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-10 cna@vuldb.com GHSA-w263-9cg4-874f
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 10, 2026 - 03:30 vuln.today
CVE Published
May 10, 2026 - 03:16 nvd
LOW 1.9

DescriptionCVE.org

A vulnerability was detected in Devs Palace ERP Online up to 4.0.0. This affects an unknown function of the file /inventory/customer-save. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Reflected cross-site scripting in Devs Palace ERP Online up to version 4.0.0 allows authenticated high-privilege users to inject malicious scripts via the /inventory/customer-save endpoint, requiring user interaction to execute. Despite public exploit availability and early vendor notification, no patch or vendor response has been documented. CVSS score of 1.9 reflects high authentication requirements and limited impact scope, though the presence of public exploit code indicates practical demonstration of the vulnerability.

Technical ContextAI

The vulnerability is a reflected XSS flaw (CWE-79) in the customer save functionality of an ERP web application. The /inventory/customer-save endpoint fails to properly sanitize or encode user-supplied input before rendering it in responses, allowing attackers to inject arbitrary JavaScript. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which describes failures in output encoding that enable script injection attacks in web applications. The attack vector is network-based, but exploitation is constrained by high privilege requirements (PR:H) and user interaction (UI:P), indicating the attacker must have administrative or elevated credentials and the victim must trigger the attack.

RemediationAI

Upgrade Devs Palace ERP Online to a version newer than 4.0.0 if available from the vendor; however, given the vendor's non-response to early disclosure notification, patch availability is uncertain and should be verified directly with the vendor or through the application's update mechanism. If no patched version is available, implement compensating controls: restrict network access to the /inventory/customer-save endpoint using a Web Application Firewall (WAF) to block requests containing script tags or event handlers (e.g., block payloads matching '<script', 'onerror=', 'onload='); configure Content Security Policy (CSP) headers to prevent inline script execution (policy-directive: script-src 'self'; note this may break legitimate functionality depending on application design); restrict administrative user accounts to trusted IP ranges and monitor admin account activity for anomalous access patterns; and consider disabling or removing the ERP Online application if it is no longer actively maintained and alternative solutions are available. Each control has trade-offs: WAF rules may cause false positives and require tuning, CSP implementation may require application code changes, and IP whitelisting reduces mobility but increases network friction.

Share

CVE-2026-8220 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy