Description
A security vulnerability has been detected in Devs Palace ERP Online up to 4.0.0. The impacted element is an unknown function of the file /inventory/supplier-save. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-10
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site scripting flaw exists in an unknown function of the /inventory/supplier-save endpoint in Devs Palace ERP Online. The flaw allows attackers to inject arbitrary HTML or JavaScript that is executed in the browser of any user who views the page. The vulnerability is characterized as CWE‑79 and also involves a code evaluation weakness (CWE‑94). It is not an arbitrary code execution vulnerability, but it permits the execution of user‑supplied scripts in the client context.

Affected Systems

All installations of Devs Palace ERP Online with a version of 4.0.0 or earlier are affected. The specific function that processes supplier data in the /inventory/supplier-save path is impacted.

Risk and Exploitability

The CVSS base score of 4.8 classifies the problem as moderate severity. The EPSS score is not available, so the likelihood of exploitation cannot be quantified, but the vulnerability has already been publicly disclosed. It is not listed in CISA’s KEV catalog. Remote exploitation is possible, and an attacker would need to send crafted input to the supplier-save endpoint, which is reachable via the web interface of the ERP system.

Generated by OpenCVE AI on May 10, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Devs Palace ERP Online to a version newer than 4.0.0 where the flaw is fixed; if no patch is available, consider reaching out to the vendor again for an update.
  • If an immediate upgrade is not possible, deploy a web application firewall or configure input validation rules that strip out or escape script tags before storing or rendering supplied supplier data.
  • Restrict access to the /inventory/supplier-save endpoint to only authorized roles and enforce strict authentication to reduce the attack surface.
  • Implement a Content Security Policy that disallows inline scripts or execution of user‑supplied code to mitigate residual XSS impact.

Generated by OpenCVE AI on May 10, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 02:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Devs Palace ERP Online up to 4.0.0. The impacted element is an unknown function of the file /inventory/supplier-save. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Devs Palace ERP Online supplier-save cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-10T01:45:09.308Z

Reserved: 2026-05-09T07:25:19.262Z

Link: CVE-2026-8219

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T02:16:10.307

Modified: 2026-05-10T02:16:10.307

Link: CVE-2026-8219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T04:00:04Z

Weaknesses