Skip to main content

Devs Palace ERP Online CVE-2026-8256

| EUVD-2026-29011 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-11 VulDB GHSA-r9xw-wmrc-hvjc
XSS
1.9
CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
May 11, 2026 - 02:22 NVD
2.4 (LOW) 1.9 (LOW)
Analysis Generated
May 11, 2026 - 02:00 vuln.today
CVE Published
May 11, 2026 - 00:15 nvd
LOW 2.4

DescriptionNVD

A security vulnerability has been detected in Devs Palace ERP Online up to 4.0.0. This vulnerability affects unknown code of the file /accounts/mr-save. Such manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Reflected cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged authenticated users to inject malicious scripts via the /accounts/mr-save endpoint, enabling session hijacking or credential theft with user interaction. Exploit code is publicly available and the vendor has not responded to disclosure efforts, leaving affected deployments without an official patch.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-8256 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy