Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A security flaw has been discovered in Devs Palace ERP Online up to 4.0.0. Affected by this issue is some unknown functionality of the file /inventory/sales_save. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged authenticated users to inject malicious scripts via the /inventory/sales_save endpoint with user interaction, resulting in integrity impact. The exploit code has been publicly released and the vendor has not responded to early disclosure attempts, leaving affected deployments without vendor-provided patches.
Technical ContextAI
The vulnerability is a reflected or stored cross-site scripting (CWE-79) flaw in the sales save functionality of the ERP system's inventory module. The /inventory/sales_save file fails to properly sanitize or encode user-controlled input before rendering it in responses or storing it in the database. XSS vulnerabilities in this context allow attackers to execute arbitrary JavaScript in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of compromised users. The CVSS v4.0 vector indicates the attack requires high privilege level (PR:H) and user interaction (UI:P), limiting the practical attack surface compared to unauthenticated XSS vulnerabilities.
RemediationAI
No vendor-released patch has been identified at time of analysis, as the vendor did not respond to early disclosure attempts. Organizations using Devs Palace ERP Online should implement the following compensating controls: (1) restrict access to the /inventory/sales_save endpoint and broader /inventory/* paths to a minimal set of trusted administrator accounts; (2) implement a Web Application Firewall (WAF) rule set to detect and block XSS payloads in inventory-related parameters, with the caveat that this adds operational overhead and may generate false positives; (3) enforce Content Security Policy (CSP) headers in the ERP application to prevent inline script execution, limiting JavaScript to whitelisted domains; (4) conduct a thorough review of user accounts with high privilege level (PR:H) to identify and revoke unnecessary administrative access; (5) implement robust logging and alerting on any modifications to inventory sales records to detect exploitation attempts. If available, consider evaluating alternative ERP solutions with active vendor support. Given the public POC and unresponsive vendor, affected organizations should prioritize upgrading to a replacement product or vendor if Devs Palace ERP Online represents a critical system.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29009
GHSA-pcm6-qc55-rgw2