Skip to main content

Devs Palace ERP Online CVE-2026-8262

| EUVDEUVD-2026-29018 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-11 cna@vuldb.com GHSA-xqwv-c88m-wq93
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 11, 2026 - 02:30 vuln.today
CVE Published
May 11, 2026 - 02:16 nvd
LOW 1.9

DescriptionCVE.org

A vulnerability was identified in Devs Palace ERP Online up to 4.0.0. This impacts an unknown function of the file /accounts/chart-save. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site scripting (XSS) in Devs Palace ERP Online version 4.0.0 and earlier allows authenticated high-privilege users to inject malicious scripts via the /accounts/chart-save endpoint. The vulnerability requires user interaction (UI:P) to trigger and results in limited integrity impact. Publicly available exploit code exists, though the CVSS 4.0 score of 1.9 reflects low severity due to the high privilege requirement (PR:H) and user interaction dependency.

Technical ContextAI

The vulnerability is a reflected or stored cross-site scripting (CWE-79) flaw in the /accounts/chart-save file handler within Devs Palace ERP Online. The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), indicating no special network conditions are required. The root cause is improper input validation or output encoding of user-supplied data in the chart save functionality, allowing attacker-controlled input to be executed as JavaScript in a user's browser context. The high privilege requirement (PR:H) suggests the vulnerability is exploitable only by administrative or high-privileged user accounts within the ERP system.

RemediationAI

No vendor-released patch has been identified at time of analysis, as the vendor did not respond to early disclosure notification. Immediate mitigations include: (1) Restrict administrative access to the /accounts/chart-save endpoint using network-based access controls (firewall rules, reverse proxy filtering) to only trusted IP ranges or disable the endpoint entirely if unused; (2) Enforce strong privileged access management (PAM) policies, including multi-factor authentication for high-privilege accounts, to reduce the likelihood of account compromise; (3) Implement Content Security Policy (CSP) headers with strict script-src directives to mitigate reflected XSS impact even if the vulnerability is exploited; (4) Monitor audit logs for suspicious requests to /accounts/chart-save and anomalous chart save operations from privileged accounts. Monitor the vendor's website or contact them directly for patch availability. If a patch is released, upgrade to the latest patched version immediately.

Share

CVE-2026-8262 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy