Skip to main content

Devs Palace ERP Online CVE-2026-8256

| EUVDEUVD-2026-29011 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-11 VulDB GHSA-r9xw-wmrc-hvjc
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
May 11, 2026 - 02:22 NVD
2.4 (LOW) 1.9 (LOW)
Analysis Generated
May 11, 2026 - 02:00 vuln.today
CVE Published
May 11, 2026 - 00:15 nvd
LOW 2.4

DescriptionCVE.org

A security vulnerability has been detected in Devs Palace ERP Online up to 4.0.0. This vulnerability affects unknown code of the file /accounts/mr-save. Such manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Reflected cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged authenticated users to inject malicious scripts via the /accounts/mr-save endpoint, enabling session hijacking or credential theft with user interaction. Exploit code is publicly available and the vendor has not responded to disclosure efforts, leaving affected deployments without an official patch.

Technical ContextAI

The vulnerability is a reflected XSS flaw (CWE-79) in the /accounts/mr-save file handler of Devs Palace ERP Online, an enterprise resource planning system. The affected component fails to properly sanitize or encode user-supplied input before rendering it in HTTP responses. This allows attackers with administrative or high-level privileges (PR:H per CVSS vector) to craft malicious URLs or form submissions containing JavaScript payloads. When a user with sufficient privileges visits the crafted link or interacts with the compromised form, the browser executes the attacker-injected script in the context of the user's session, compromising session tokens or modifying account data.

RemediationAI

No vendor-released patch is available at this time. Organizations should immediately implement the following mitigations: (1) Restrict access to the /accounts/mr-save endpoint via network-level controls (firewall rules, WAF policies) to trusted internal IP ranges only, reducing exposure to remote attackers despite the AV:N vector. (2) Enforce strict input validation and output encoding on all user-supplied data in the accounts module using a Web Application Firewall (WAF) with XSS filtering rules; this may incur slight latency overhead but prevents payload injection. (3) Disable or revoke high-privilege accounts (PR:H requirement) that are not actively required for daily operations, reducing the attack surface to admin-level users only. (4) Implement Content Security Policy (CSP) headers with strict-origin-when-cross-origin and script-src directives to block inline JavaScript execution, limiting XSS impact even if payloads reach the client. (5) Monitor and log all access to /accounts/mr-save for anomalous patterns indicating exploitation attempts. Monitor the vendor's website and VulDB for patch releases, and prepare an upgrade plan to the next available patched version when released. References: VulDB entry https://vuldb.com/vuln/362553.

Share

CVE-2026-8256 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy