Skip to main content

Devs Palace ERP Online EUVDEUVD-2026-28954

| CVE-2026-8218 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-10 VulDB GHSA-26gm-rrp5-38p4
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 10, 2026 - 02:29 vuln.today
CVSS changed
May 10, 2026 - 02:22 NVD
2.4 (LOW) 1.9 (LOW)
CVE Published
May 10, 2026 - 01:30 nvd
LOW 1.9

DescriptionCVE.org

A weakness has been identified in Devs Palace ERP Online up to 4.0.0. The affected element is an unknown function of the file /inventory/purchase_return_save. Executing a manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site scripting (XSS) vulnerability in Devs Palace ERP Online up to version 4.0.0 allows authenticated high-privilege users to inject malicious scripts via the /inventory/purchase_return_save endpoint. The vulnerability requires user interaction (UI:P) to trigger, and publicly available exploit code exists. The vendor has not responded to disclosure attempts, leaving affected installations without official guidance or patches.

Technical ContextAI

The vulnerability is a classic CWE-79 reflected or stored XSS flaw in the purchase return processing functionality of the ERP system. The affected endpoint /inventory/purchase_return_save fails to properly sanitize or encode user-supplied input before rendering it in responses or storing it in the database. ERP Online is a web-based enterprise resource planning application, and this specific function handles inventory purchase return transactions. The CVSS vector indicates the vulnerability requires high-level privileges (PR:H, likely administrative access) to exploit and necessitates user interaction (UI:P), suggesting the malicious payload must be crafted by the attacker and delivered to another user or administrator for activation, or the high-privilege user must be socially engineered into triggering the malicious input.

RemediationAI

No vendor-released patch identified at time of analysis, as the vendor has not responded to disclosure attempts. Immediate remediation options are limited to compensating controls: (1) Restrict access to the /inventory/purchase_return_save endpoint to only the users and IP addresses that genuinely require it, using web application firewall (WAF) rules or network access controls; side effect is reduced flexibility for remote inventory management. (2) Implement strict input validation and output encoding at the web server level using ModSecurity or similar WAF rulesets with XSS-specific signatures; this may block legitimate use cases if overly aggressive. (3) Disable the purchase return functionality entirely if not in active use, eliminating the attack surface. (4) Apply HTTP security headers (Content-Security-Policy, X-Frame-Options, X-Content-Type-Options) to mitigate XSS impact even if injection occurs. (5) Monitor administrator account activity and log all interactions with the /inventory/purchase_return_save endpoint for forensic detection of attacks. Given the vendor's non-responsiveness, consider evaluating alternative ERP platforms or requesting security updates directly from the vendor with a formal deadline. Reference: https://vuldb.com/vuln/362435

Share

EUVD-2026-28954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy