Skip to main content

Devs Palace ERP Online EUVDEUVD-2026-28956

| CVE-2026-8221 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-10 cna@vuldb.com GHSA-fh7r-pr96-fhc8
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
May 10, 2026 - 03:30 vuln.today
CVE Published
May 10, 2026 - 03:16 nvd
LOW 1.9

DescriptionCVE.org

A flaw has been found in Devs Palace ERP Online up to 4.0.0. This impacts an unknown function of the file /inventory/item-save. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site scripting (XSS) in Devs Palace ERP Online through version 4.0.0 allows high-privileged authenticated users to inject malicious scripts via the /inventory/item-save endpoint, requiring user interaction (UI:P) for exploitation. Public exploit code is available, and the vendor has not responded to early disclosure notification, leaving affected deployments without an official patch and at risk of account compromise or session hijacking by attackers with high administrative privileges.

Technical ContextAI

The vulnerability is a reflected or stored cross-site scripting (CWE-79) flaw in the item inventory management function of Devs Palace ERP Online. The /inventory/item-save endpoint fails to properly sanitize or validate user input before rendering it in web responses. The CVSS 4.0 vector indicates the attack requires network access (AV:N), low complexity (AC:L), high privileges (PR:H), and user interaction (UI:P), limiting the threat to authenticated administrators or high-privilege accounts whose interaction is needed to complete the attack chain. The integrity impact is limited (VI:L), affecting confidentiality or session integrity rather than full system compromise.

RemediationAI

No vendor-released patch is available at time of analysis; the vendor did not respond to early disclosure notification. Organizations running Devs Palace ERP Online 4.0.0 or earlier should implement the following mitigations in order of effectiveness: (1) Upgrade to a patched version if the vendor releases one (monitor https://vuldb.com/vuln/362438 for updates); (2) Restrict admin panel access to internal IP ranges using firewall rules or Web Application Firewall (WAF) rules, preventing remote attackers from reaching the vulnerable endpoint; (3) Implement input validation and output encoding in the /inventory/item-save endpoint via WAF rules that strip or encode HTML/JavaScript characters; (4) Enforce Content Security Policy (CSP) headers (Content-Security-Policy: default-src 'self') to mitigate XSS payload execution even if injected; (5) Mandate multi-factor authentication (MFA) for admin accounts to reduce credential theft risk from session hijacking. Compensating controls trade convenience for security: IP whitelisting reduces flexibility for remote admins, and WAF rules require tuning to avoid blocking legitimate inventory operations.

Share

EUVD-2026-28956 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy