Description
Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php.
Published: 2026-04-14
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

Krayin CRM v2.2.x contains a SQL injection flaw in the rotten_lead parameter of the LeadDataGrid.php file. By injecting malicious SQL through this parameter, an attacker can read sensitive data, modify database entries, or potentially elevate privileges. The weakness aligns with the classic injection issue identified as CWE-89.

Affected Systems

All installations running Krayin CRM version 2.2.x are affected. The vulnerability is present in the web application component that processes the rotten_lead input when rendering leads data.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves sending a crafted HTTP request to /Lead/LeadDataGrid.php with a malicious rotten_lead payload. No explicit authentication requirement is stated, so it may be exploitable from an unauthorized web request or from an authenticated session depending on other access controls implemented by the application.

Generated by OpenCVE AI on April 14, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify that your installation is running Krayin CRM v2.2.x
  • Apply any official patch or upgrade to a newer version if available
  • If a patch is not available, sanitize or validate the rotten_lead parameter to prevent arbitrary SQL execution
  • Monitor application logs for unusual database queries that could indicate an attempted injection

Generated by OpenCVE AI on April 14, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title SQL Injection in Krayin CRM via rotten_lead
Weaknesses CWE-89

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AC:L/AV:N/A:N/C:H/I:L/PR:L/S:U/UI:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T17:34:54.115Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38528

cve-icon Vulnrichment

Updated: 2026-04-14T17:34:10.826Z

cve-icon NVD

Status : Received

Published: 2026-04-14T16:16:43.413

Modified: 2026-04-14T18:17:37.700

Link: CVE-2026-38528

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:38Z

Weaknesses