Description
Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint
Published: 2026-05-07
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker could inject malicious scripts into the comment field when creating an activity on the /admin/activities/create endpoint. The application does not properly sanitize user-supplied input, allowing injected script code to execute in the browser context of any user viewing the activity. This reflected XSS flaw permits execution of arbitrary client-side code, which could be used to steal session cookies, hijack user sessions, deface the interface, or load additional malicious payloads. The weakness is a classic Cross‑Site Scripting attack (CWE‑79).

Affected Systems

The vulnerability is present in Webkul Krayin CRM version 2.1.5. No other affected versions are listed, and the issue is limited to this product and release.

Risk and Exploitability

No EPSS score is available, and the vulnerability is not in the CISA KEV catalog, so exploitation probability is currently unknown. The flaw resides in an administrative endpoint, implying that an attacker needs access to the admin interface or a way to submit data to that endpoint. Without a public exploit, the risk depends on the organization’s exposure of the admin interface. The impact level of reflected XSS can range from moderate to high depending on whether the victim is an administrator or a regular user, as it can lead to credential theft and session hijacking. The CVSS score is not provided, but such vulnerabilities are typically considered high severity.

Generated by OpenCVE AI on May 7, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Webkul Krayin CRM to version 2.1.6 or later to eliminate the unescaped comment input issue.
  • Implement server‑side sanitization or output encoding for all user-supplied data entered via the comment field, ensuring that scripts cannot be rendered.
  • Restrict access to the /admin/activities/create endpoint to authenticated administrators only, and enforce proper role‑based access controls.

Generated by OpenCVE AI on May 7, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in Webkul Krayin CRM 2.1.5 Comment Field
First Time appeared Krayin
Krayin laravel-crm
Vendors & Products Krayin
Krayin laravel-crm

Thu, 07 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint
References

Subscriptions

Krayin Laravel-crm
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-07T16:14:52.978Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36341

cve-icon Vulnrichment

Updated: 2026-05-07T16:14:48.288Z

cve-icon NVD

Status : Received

Published: 2026-05-07T16:16:18.900

Modified: 2026-05-07T17:15:58.430

Link: CVE-2026-36341

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T17:30:25Z

Weaknesses