Skip to main content

Devs Palace ERP Online CVE-2026-8255

| EUVDEUVD-2026-29010 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-11 VulDB GHSA-v5h9-qhjf-j7x7
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 11, 2026 - 00:30 vuln.today
CVSS changed
May 11, 2026 - 00:22 NVD
2.4 (LOW) 1.9 (LOW)
CVE Published
May 11, 2026 - 00:00 nvd
LOW 1.9

DescriptionCVE.org

A weakness has been identified in Devs Palace ERP Online up to 4.0.0. This affects an unknown part of the file /inventory/add_new_customer. This manipulation causes cross site scripting. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site scripting (XSS) vulnerability in Devs Palace ERP Online versions up to 4.0.0 allows authenticated users with high privileges to inject malicious scripts via the /inventory/add_new_customer endpoint. The vulnerability requires user interaction (UI:P) and has publicly available exploit code, but real-world impact is significantly limited by the requirement for authenticated high-privilege access and user interaction, resulting in a CVSS score of only 1.9 despite network accessibility.

Technical ContextAI

This is a reflected or stored cross-site scripting (CWE-79) vulnerability in the customer management functionality of an enterprise resource planning (ERP) application. The flaw exists in the /inventory/add_new_customer file handler, which fails to properly sanitize or encode user-supplied input before rendering it in web responses. The vulnerability chain involves an authenticated user with high-privilege credentials (PR:H) crafting malicious JavaScript within the customer addition form, which is then executed in the context of another user's browser session if that user views the crafted content. The CPE indicates all versions of Devs Palace ERP Online up to and including 4.0.0 are affected.

RemediationAI

No vendor-released patch identified at time of analysis - the developer has not responded to disclosure attempts. Immediate workarounds include: (1) Restrict access to the /inventory/add_new_customer endpoint to only necessary administrative users via network access controls or web application firewall rules, (2) Implement input validation and output encoding at the application level by sanitizing all user inputs for special characters and HTML entities before storage and display, (3) Enable Content Security Policy (CSP) headers with strict script-src directives to prevent inline script execution, and (4) Consider implementing Web Application Firewall (WAF) rules to detect and block XSS payloads in POST requests to the affected endpoint. If available, review Devs Palace security advisories directly or contact the vendor for manual patch development. In high-security environments, consider evaluating alternative ERP solutions with active vendor support.

Share

CVE-2026-8255 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy