Description
A weakness has been identified in Devs Palace ERP Online up to 4.0.0. The affected element is an unknown function of the file /inventory/purchase_return_save. Executing a manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-10
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in an unknown function in the /inventory/purchase_return_save file of Devs Palace ERP Online version 4.0.0 and earlier. It permits an attacker to inject malicious script content when executing a manipulated request. The result is client‑side code execution in the context of a legitimate user, enabling session hijacking, data theft, or defacement.

Affected Systems

Devs Palace ERP Online users running version 4.0.0 or older are at risk. No other product or version information is listed, so the scope is limited to the specified ERP platform and its affected releases.

Risk and Exploitability

A CVSS score of 4.8 indicates a moderate severity; the EPSS score is not available, so the likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog, and no formal patch or fix has been released by the vendor. The attack can be launched remotely by sending a crafted request to the vulnerable endpoint.

Generated by OpenCVE AI on May 10, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy a web application firewall rule to block or sanitize script inputs to the /inventory/purchase_return_save endpoint.
  • Upgrade to a version of Devs Palace ERP Online newer than 4.0.0 once a vendor patch becomes available.
  • Consider implementing strict input validation on the client side to prevent cross‑site scripting injection.

Generated by OpenCVE AI on May 10, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 02:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Devs Palace ERP Online up to 4.0.0. The affected element is an unknown function of the file /inventory/purchase_return_save. Executing a manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Devs Palace ERP Online purchase_return_save cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-10T01:30:11.267Z

Reserved: 2026-05-09T07:25:13.570Z

Link: CVE-2026-8218

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T02:16:10.110

Modified: 2026-05-10T02:16:10.110

Link: CVE-2026-8218

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T04:00:04Z

Weaknesses