Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was identified in Devs Palace ERP Online up to 4.0.0. This impacts an unknown function of the file /accounts/chart-save. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Cross-site scripting (XSS) in Devs Palace ERP Online version 4.0.0 and earlier allows authenticated high-privilege users to inject malicious scripts via the /accounts/chart-save endpoint. The vulnerability requires user interaction (UI:P) to trigger and results in limited integrity impact. Publicly available exploit code exists, though the CVSS 4.0 score of 1.9 reflects low severity due to the high privilege requirement (PR:H) and user interaction dependency.
Technical ContextAI
The vulnerability is a reflected or stored cross-site scripting (CWE-79) flaw in the /accounts/chart-save file handler within Devs Palace ERP Online. The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), indicating no special network conditions are required. The root cause is improper input validation or output encoding of user-supplied data in the chart save functionality, allowing attacker-controlled input to be executed as JavaScript in a user's browser context. The high privilege requirement (PR:H) suggests the vulnerability is exploitable only by administrative or high-privileged user accounts within the ERP system.
RemediationAI
No vendor-released patch has been identified at time of analysis, as the vendor did not respond to early disclosure notification. Immediate mitigations include: (1) Restrict administrative access to the /accounts/chart-save endpoint using network-based access controls (firewall rules, reverse proxy filtering) to only trusted IP ranges or disable the endpoint entirely if unused; (2) Enforce strong privileged access management (PAM) policies, including multi-factor authentication for high-privilege accounts, to reduce the likelihood of account compromise; (3) Implement Content Security Policy (CSP) headers with strict script-src directives to mitigate reflected XSS impact even if the vulnerability is exploited; (4) Monitor audit logs for suspicious requests to /accounts/chart-save and anomalous chart save operations from privileged accounts. Monitor the vendor's website or contact them directly for patch availability. If a patch is released, upgrade to the latest patched version immediately.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29018
GHSA-xqwv-c88m-wq93