Devs Palace ERP Online CVE-2026-8253
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was identified in Devs Palace ERP Online up to 4.0.0. Affected by this vulnerability is an unknown functionality of the file /inventory/purchase_save. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Stored cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged users to inject malicious scripts via the /inventory/purchase_save endpoint, affecting the confidentiality of other users' sessions. The vulnerability requires administrative-level privileges and user interaction (UI:R), resulting in a low CVSS score of 2.4, though publicly available exploit code exists and the vendor has not responded to disclosure attempts.
Technical ContextAI
This is a classic reflected or stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in a web-based enterprise resource planning (ERP) system. The vulnerable endpoint /inventory/purchase_save fails to properly sanitize or encode user-supplied input before rendering it in web responses. The attack vector is network-based (AV:N), accessible through standard HTTP/HTTPS protocols. The CPE indicates all versions of Devs Palace ERP Online up to 4.0.0 are affected. The attack complexity is low (AC:L), meaning no special conditions or timing are required to trigger the flaw once the attacker gains high-privilege access.
RemediationAI
No vendor-released patch has been identified at the time of analysis, and the vendor has not responded to disclosure attempts. Organizations using Devs Palace ERP Online should immediately implement the following compensating controls: (1) Restrict access to the /inventory/purchase_save endpoint to the smallest set of administrative users necessary, using network-layer access controls or web application firewall rules; (2) Apply strict input validation and output encoding rules at the application level if supported by the ERP configuration, explicitly blocking or encoding HTML/JavaScript characters in purchase-related fields; (3) Implement Content Security Policy (CSP) headers to prevent inline script execution and restrict script sources to explicitly trusted origins; (4) Monitor and audit access logs for /inventory/purchase_save requests, alerting on unusual patterns; (5) Consider migration to a competing ERP solution if the vendor's non-responsiveness to security issues is unacceptable for your compliance or risk posture. No workaround fully eliminates the vulnerability without vendor involvement.
More in Erp Online
View allCross-site scripting (XSS) vulnerability in Devs Palace ERP Online up to version 4.0.0 allows authenticated high-privile
Reflected cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged authenticated
Cross-site scripting (XSS) vulnerability in Devs Palace ERP Online versions up to 4.0.0 allows authenticated users with
Stored cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged authenticated use
Cross-site scripting (XSS) in erponline.xyz ERP Online up to version 4.0.0 allows authenticated attackers with high priv
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today