Description
A vulnerability was detected in Devs Palace ERP Online up to 4.0.0. This affects an unknown function of the file /inventory/customer-save. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-10
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This issue arises from a vulnerable function in the /inventory/customer-save endpoint of Devs Palace ERP Online, allowing an attacker to inject malicious scripts that are reflected back to the user’s browser. The vulnerability can be triggered remotely and is publicly available for exploitation. The potential consequences include arbitrary script execution in the context of the victim’s browser, which may lead to session hijacking, data theft, or defacement. The weakness aligns with CWE-79 (Cross‐Site Scripting) and CWE-94 (Code Injection), indicating user input is not properly sanitized or encoded before use.

Affected Systems

Devs Palace ERP Online versions up to 4.0.0 are affected. The specific function that is vulnerable resides in the /inventory/customer-save route, but no further version granularity is provided.

Risk and Exploitability

The CVSS score of 4.8 indicates a low severity issue, and the EPSS score is unavailable, suggesting limited evidence of active exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an attacker to send a crafted request to the /inventory/customer-save endpoint, which can be performed remotely via an HTTP request. Without input validation, the payload is reflected and executed in the user’s browser. The lack of an immediate remedy from the vendor increases the risk of continued exploitation until a patch or mitigation is applied.

Generated by OpenCVE AI on May 10, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security patch from Devs Palace when it becomes available.
  • Validate and sanitize all input received by the /inventory/customer-save endpoint and ensure any output is properly encoded to prevent reflected script execution.
  • Deploy a web application firewall or similar protective layer to detect and block suspicious XSS attempts and monitor for malicious traffic.

Generated by OpenCVE AI on May 10, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 03:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Devs Palace ERP Online up to 4.0.0. This affects an unknown function of the file /inventory/customer-save. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Devs Palace ERP Online customer-save cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-10T02:00:11.278Z

Reserved: 2026-05-09T07:25:32.971Z

Link: CVE-2026-8220

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T03:16:07.703

Modified: 2026-05-10T03:16:07.703

Link: CVE-2026-8220

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T04:30:04Z

Weaknesses