Description
An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file.
Published: 2026-04-14
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x. An authenticated user can upload a crafted PHP file. The web application accepts the file without validating the file type, allowing the attacker to place a PHP script in the upload directory. Once the file is uploaded, the attacker can access it via a web browser, resulting in remote code execution. This undermines the confidentiality, integrity, and availability of the application and its underlying operating system.

Affected Systems

The affected product is Webkul Krayin CRM version 2.2.x. The CRM is offered by Webkul under the Krayin branding. Specific sub‑versions are not listed, but any release identified as 2.2.x is vulnerable.

Risk and Exploitability

The CVSS score of 9.9 indicates critical severity. The vulnerability requires authenticated access to the admin interface, but once logged in, the attacker can upload an arbitrary PHP file without restrictions. Because the EPSS score is not available and the issue is not cataloged in CISA’s KEV, exploit data is limited, yet the high CVSS suggests the potential for widespread damage if the vulnerability is exploited. No public exploit was reported at the time of this assessment, but in the absence of a patch, administrators should treat the vulnerability as actively exploitable.

Generated by OpenCVE AI on April 14, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Webkul Krayin CRM to a patched version that removes the unrestricted upload feature.
  • If upgrading is not feasible, reconfigure the web server or application to block PHP execution within the upload directory.
  • Implement file‑type validation so that only safe image or non‑executable files can be uploaded.
  • Apply role‑based access controls to limit who can access the /admin/tinymce/upload endpoint.
  • Monitor logs for unauthorized upload attempts and enforce strict audit logging.

Generated by OpenCVE AI on April 14, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Authenticated Arbitrary File Upload Allowing Remote Code Execution in Webkul Krayin CRM v2.2.x
Weaknesses CWE-434

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file.
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T17:50:54.198Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38526

cve-icon Vulnrichment

Updated: 2026-04-14T17:50:23.352Z

cve-icon NVD

Status : Received

Published: 2026-04-14T16:16:43.127

Modified: 2026-04-14T18:17:37.397

Link: CVE-2026-38526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:40Z

Weaknesses