Description
Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint
Published: 2026-05-07
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject malicious scripts into the comment field used when creating an activity. The application does not sanitize the input before rendering it in the browser, so the script runs in any user’s session that views the activity. This reflected XSS flaw enables arbitrary client‑side code execution, which can be used to steal session cookies, hijack sessions, deface interfaces, or load additional malicious payloads.

Affected Systems

The issue exists in Webkul Krayin CRM version 2.1.5. No other versions are listed as affected in the advisory, so only this specific release is impacted.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity. With no EPSS score available and the vulnerability not listed in the CISA KEV catalog, the current likelihood of exploitation is uncertain. The flaw resides in the /admin/activities/create administrative endpoint, so an attacker would need access to that interface or be able to submit data to it. If the admin portal is exposed, privileged users are at higher risk; ordinary users might be affected only when they view the compromised activity. The overall risk depends on the organization’s exposure, but the flaw can be mitigated with an update.

Generated by OpenCVE AI on May 7, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Webkul Krayin CRM to version 2.1.6 or later to remove the unescaped comment input logic.
  • If an immediate upgrade is not possible, implement server‑side sanitization or escape the comment content before rendering it in any page.
  • Restrict access to the /admin/activities/create endpoint to trusted administrators and monitor for anomalous activity in the activity creation logs.

Generated by OpenCVE AI on May 7, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j822-46r5-h4qx Webkul Krayin CRM is Vulnerable to Cross-Site Scripting in the /admin/activities/create endpoint
History

Thu, 07 May 2026 19:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in Webkul Krayin CRM 2.1.5 Comment Field

Thu, 07 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in Webkul Krayin CRM 2.1.5 Comment Field
First Time appeared Krayin
Krayin laravel-crm
Vendors & Products Krayin
Krayin laravel-crm

Thu, 07 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint
References

Subscriptions

Krayin Laravel-crm
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-07T16:14:52.978Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36341

cve-icon Vulnrichment

Updated: 2026-05-07T16:14:48.288Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T16:16:18.900

Modified: 2026-06-17T10:41:06.007

Link: CVE-2026-36341

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T19:30:27Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')