Skip to main content

Devs Palace ERP Online CVE-2026-8253

LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-10 VulDB
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
May 11, 2026 - 00:22 NVD
2.4 (LOW) 1.9 (LOW)
Analysis Generated
May 11, 2026 - 00:00 vuln.today
CVE Published
May 10, 2026 - 23:30 nvd
LOW 2.4

DescriptionCVE.org

A vulnerability was identified in Devs Palace ERP Online up to 4.0.0. Affected by this vulnerability is an unknown functionality of the file /inventory/purchase_save. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stored cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged users to inject malicious scripts via the /inventory/purchase_save endpoint, affecting the confidentiality of other users' sessions. The vulnerability requires administrative-level privileges and user interaction (UI:R), resulting in a low CVSS score of 2.4, though publicly available exploit code exists and the vendor has not responded to disclosure attempts.

Technical ContextAI

This is a classic reflected or stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in a web-based enterprise resource planning (ERP) system. The vulnerable endpoint /inventory/purchase_save fails to properly sanitize or encode user-supplied input before rendering it in web responses. The attack vector is network-based (AV:N), accessible through standard HTTP/HTTPS protocols. The CPE indicates all versions of Devs Palace ERP Online up to 4.0.0 are affected. The attack complexity is low (AC:L), meaning no special conditions or timing are required to trigger the flaw once the attacker gains high-privilege access.

RemediationAI

No vendor-released patch has been identified at the time of analysis, and the vendor has not responded to disclosure attempts. Organizations using Devs Palace ERP Online should immediately implement the following compensating controls: (1) Restrict access to the /inventory/purchase_save endpoint to the smallest set of administrative users necessary, using network-layer access controls or web application firewall rules; (2) Apply strict input validation and output encoding rules at the application level if supported by the ERP configuration, explicitly blocking or encoding HTML/JavaScript characters in purchase-related fields; (3) Implement Content Security Policy (CSP) headers to prevent inline script execution and restrict script sources to explicitly trusted origins; (4) Monitor and audit access logs for /inventory/purchase_save requests, alerting on unusual patterns; (5) Consider migration to a competing ERP solution if the vendor's non-responsiveness to security issues is unacceptable for your compliance or risk posture. No workaround fully eliminates the vulnerability without vendor involvement.

Share

CVE-2026-8253 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy