Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint
AnalysisAI
Stored cross-site scripting (XSS) in Webkul Krayin CRM v2.1.5 allows authenticated users to inject malicious scripts via unsanitized input in the Activity comment field on the /admin/activities/create endpoint, which execute when viewed by other administrators. The vulnerability requires user interaction (viewing the compromised activity) and authenticated access, limiting scope to C (confidentiality) and I (integrity) with partial impact; publicly available proof-of-concept code exists but exploitation is not confirmed in the wild. Fixed in version v2.1.6 via application of input sanitization using strip_tags() across multiple vulnerable Blade templates.
Technical ContextAI
Webkul Krayin CRM is a Laravel-based customer relationship management platform. The vulnerability stems from inadequate input validation and output encoding in Blade template rendering. User-supplied data (names, titles, subjects, and comments) is passed directly to @lang() translation functions or {{ }} output constructs without sanitization, allowing HTML and JavaScript injection. The fix applies strip_tags() function during template rendering to remove HTML tags from user-controlled variables before display. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), a failure to encode or filter user input at the output layer. Multiple templates were affected: contacts/persons/view.blade.php, leads/view.blade.php, products/view.blade.php, configuration/edit.blade.php, mail/view.blade.php, and settings components, indicating systemic lack of output encoding across the codebase.
RemediationAI
Upgrade to Webkul Krayin CRM v2.1.6 or later immediately, which applies strip_tags() sanitization across all vulnerable Blade templates (confirmed via GitHub PR #2401). For deployments unable to upgrade immediately, restrict admin panel access to trusted internal users only via network segmentation or IP whitelisting on the /admin/activities/create endpoint, and disable Activity comment functionality if not essential. Additionally, implement Content Security Policy (CSP) headers with script-src 'self' to mitigate stored XSS payload execution in the browser as a compensating control, though this does not prevent injection. Monitor admin user activity logs for suspicious activity creation or comments containing HTML/JavaScript syntax. Apply the patch at https://github.com/krayin/laravel-crm/pull/2401 via version upgrade; manual patch application is not recommended due to complexity of template changes across multiple files.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28390
GHSA-j822-46r5-h4qx