Description
A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request.
Published: 2026-04-14
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: Internal Resource Exposure
Action: Patch
AI Analysis

Impact

An SSRF flaw exists in the /settings/webhooks/create route of Webkul Krayin CRM version 2.2.x. A request crafted with a malicious payload can cause the server to fetch arbitrary URLs, enabling an attacker to probe internal network services. This could lead to the disclosure of internal resources or further exploitation if those services have vulnerabilities, compromising confidentiality and potentially availability if service disruption occurs.

Affected Systems

Webkul Krayin CRM, specifically version 2.2.x, is affected by this SSRF. The vulnerability resides in the webhook creation component and can be triggered by any user able to submit a POST request to the /settings/webhooks/create endpoint.

Risk and Exploitability

With a CVSS base score of 8.5, this issue is classified as high risk. The potential for exploitation is significant because the flaw can be triggered over the network, likely without authentication if access to the webhook creation page is public. While the EPSS score is not available, the absence of an entry in the KEV catalog does not reduce the likelihood of exploitation; the flaw is sufficient to allow internal reconnaissance and possibly launch persistence or privilege escalation attacks against exposed services. No patch is currently available via the vendor, so the vulnerability remains exploitable until remedial action is taken.

Generated by OpenCVE AI on April 14, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest version of Webkul Krayin CRM once a patch addressing the SSRF is released.
  • Restrict the /settings/webhooks/create endpoint so that only authenticated administrators can access it, and enforce whitelist validation on the target URLs.
  • Disable outbound RPC or internal service calls that are not required for the webhook functionality.
  • Monitor application logs for anomalous POST requests to the webhook endpoint and promptly investigate any suspicious activity.

Generated by OpenCVE AI on April 14, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Server-Side Request Forgery in Webkul Krayin CRM Webhooks Endpoint Enables Internal Network Discovery
Weaknesses CWE-918

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request.
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AC:L/AV:N/A:N/C:H/I:L/PR:L/S:C/UI:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T17:36:59.813Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38527

cve-icon Vulnrichment

Updated: 2026-04-14T17:35:48.366Z

cve-icon NVD

Status : Received

Published: 2026-04-14T16:16:43.270

Modified: 2026-04-14T18:17:37.553

Link: CVE-2026-38527

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:39Z

Weaknesses