Skip to main content

Devs Palace ERP Online CVE-2026-8254

| EUVDEUVD-2026-29009 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-11 cna@vuldb.com GHSA-pcm6-qc55-rgw2
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 11, 2026 - 00:30 vuln.today
CVE Published
May 11, 2026 - 00:16 nvd
LOW 1.9

DescriptionCVE.org

A security flaw has been discovered in Devs Palace ERP Online up to 4.0.0. Affected by this issue is some unknown functionality of the file /inventory/sales_save. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged authenticated users to inject malicious scripts via the /inventory/sales_save endpoint with user interaction, resulting in integrity impact. The exploit code has been publicly released and the vendor has not responded to early disclosure attempts, leaving affected deployments without vendor-provided patches.

Technical ContextAI

The vulnerability is a reflected or stored cross-site scripting (CWE-79) flaw in the sales save functionality of the ERP system's inventory module. The /inventory/sales_save file fails to properly sanitize or encode user-controlled input before rendering it in responses or storing it in the database. XSS vulnerabilities in this context allow attackers to execute arbitrary JavaScript in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of compromised users. The CVSS v4.0 vector indicates the attack requires high privilege level (PR:H) and user interaction (UI:P), limiting the practical attack surface compared to unauthenticated XSS vulnerabilities.

RemediationAI

No vendor-released patch has been identified at time of analysis, as the vendor did not respond to early disclosure attempts. Organizations using Devs Palace ERP Online should implement the following compensating controls: (1) restrict access to the /inventory/sales_save endpoint and broader /inventory/* paths to a minimal set of trusted administrator accounts; (2) implement a Web Application Firewall (WAF) rule set to detect and block XSS payloads in inventory-related parameters, with the caveat that this adds operational overhead and may generate false positives; (3) enforce Content Security Policy (CSP) headers in the ERP application to prevent inline script execution, limiting JavaScript to whitelisted domains; (4) conduct a thorough review of user accounts with high privilege level (PR:H) to identify and revoke unnecessary administrative access; (5) implement robust logging and alerting on any modifications to inventory sales records to detect exploitation attempts. If available, consider evaluating alternative ERP solutions with active vendor support. Given the public POC and unresponsive vendor, affected organizations should prioritize upgrading to a replacement product or vendor if Devs Palace ERP Online represents a critical system.

Share

CVE-2026-8254 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy