Description
A flaw has been found in Devs Palace ERP Online up to 4.0.0. This impacts an unknown function of the file /inventory/item-save. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-10
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Devs Palace ERP Online up to version 4.0.0 allows an attacker to inject arbitrary client‑side scripts through the /inventory/item-save function. The resulting cross‑site scripting can lead to session hijacking, defacement, credential theft, or the execution of further malicious actions within the victim’s browser context. The vulnerability directly compromises the confidentiality and integrity of data processed by the affected function and can affect all users who interact with the application.

Affected Systems

The vulnerability is present in Devs Palace ERP Online software versions up to and including 4.0.0. It impacts an unnamed function within the /inventory/item-save file and is relevant to installations of the ERP Online product provided by Devs Palace.

Risk and Exploitability

The CVSS score of 4.8 indicates a medium severity, and while the EPSS score is not published, the exploit is publicly available and can be carried out remotely. The attack vector is inferred to be remote input manipulation, wherein an attacker submits a crafted payload that is rendered by the affected endpoint. Because the vulnerability is not listed in CISA’s KEV catalog and no official patch is currently disclosed, the risk largely depends on the ability of an attacker to reach the endpoint and the robustness of any mitigating controls in place.

Generated by OpenCVE AI on May 10, 2026 at 05:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest vendor patch when available.
  • If no patch is available, hard‑enforce output encoding or escape HTML on data processed by /inventory/item-save.
  • Deploy WAF or input‑validation rules to block malicious payloads, enable CSP headers to mitigate code execution, and monitor logs for suspicious script submissions and verify that protection policies are enforced.

Generated by OpenCVE AI on May 10, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 03:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Devs Palace ERP Online up to 4.0.0. This impacts an unknown function of the file /inventory/item-save. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Devs Palace ERP Online item-save cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-10T02:15:09.576Z

Reserved: 2026-05-09T07:25:37.631Z

Link: CVE-2026-8221

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T03:16:08.523

Modified: 2026-05-10T03:16:08.523

Link: CVE-2026-8221

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T05:30:05Z

Weaknesses