Description
A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the function composeMail of the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts of the component Activities Module/Notes Module. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 73ed28d466bf14787fdb86a120c656a4af270153. To fix this issue, it is recommended to deploy a patch.
Published: 2026-04-02
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A cross‑site scripting flaw exists in the composeMail function of the Activities Module/Notes component in krayin's Laravel‑CRM. The flaw allows an attacker to inject malicious script content that is subsequently rendered in the mailbox UI, enabling remote script execution in the victim’s browser. This originates from insufficient sanitization of user input before display and falls under CWE‑79 and CWE‑94. Exploitation can compromise the confidentiality, integrity, and availability of the application by hijacking sessions, stealing credentials, defacing content, or executing arbitrary code on the client side. The vulnerability is present in all releases up to version 2.2.

Affected Systems

The affected product is krayin’s Laravel‑CRM, version 2.2 and earlier. The issue resides in the test code located at packages/Webkul/Admin/tests/e2e‑pw/tests/mail/inbox.spec.ts within the Activities Module/Notes. A patch was released in commit 73ed28d466bf14787fdb86a120c656a4af270153, which removes the vulnerable processing of user input.

Risk and Exploitability

The CVSS score is 5.1, indicating moderate severity, but the vulnerability is remotely exploitable and public exploits are available. Since EPSS data is not provided and it is not listed in the CISA KEV catalog, the likelihood of exploitation depends largely on attacker interest and the presence of the vulnerable version. Attackers can deliver the malicious payload through any interface that allows composing mail in the application, making the vector network‑based and requiring only a user to view a crafted page. Prompt remediation is essential to prevent XSS attacks.

Generated by OpenCVE AI on April 2, 2026 at 22:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade krayin/laravel-crm to the latest release (at least 2.3 or later).
  • If an upgrade is not immediately feasible, apply the patch from commit 73ed28d466bf14787fdb86a120c656a4af270153 to the composeMail component.
  • Verify that all input fields in composeMail are sanitized and escape output appropriately.
  • Review other parts of the application for similar input handling issues.
  • Monitor application logs for suspicious XSS activity and keep the system patched.

Generated by OpenCVE AI on April 2, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9m2v-hc5g-5jpv Krayin CRM is vulnerable to Cross-site Scripting (XSS)
History

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Krayin
Krayin laravel-crm
Vendors & Products Krayin
Krayin laravel-crm

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the function composeMail of the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts of the component Activities Module/Notes Module. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 73ed28d466bf14787fdb86a120c656a4af270153. To fix this issue, it is recommended to deploy a patch.
Title krayin laravel-crm Activities Module/Notes inbox.spec.ts composeMail cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Krayin Laravel-crm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-03T18:12:16.825Z

Reserved: 2026-04-01T18:56:23.688Z

Link: CVE-2026-5370

cve-icon Vulnrichment

Updated: 2026-04-02T18:29:46.655Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T18:16:35.343

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-5370

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:17:19Z

Weaknesses