CVE-2026-8253 - Vulnerability Details

- Devs Palace ERP Online purchase_save cross site scripting

Description

A vulnerability was identified in Devs Palace ERP Online up to 4.0.0. Affected by this vulnerability is an unknown functionality of the file /inventory/purchase_save. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-05-10

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability in the /inventory/purchase_save functionality of Devs Palace ERP Online allows an attacker to inject arbitrary client‑side scripts. The flaw is a classic reflected or stored cross‑site scripting (CWE‑79) and may also involve unsanitized code evaluation (CWE‑94). An attacker can remotely supply input that is later rendered by the application, enabling the execution of arbitrary JavaScript in the context of the victim’s browser. The impact is primarily the theft of credentials, session hijacking, or the delivery of malicious payloads to end‑users. The vendor’s description confirms that the exploit is available publicly and can be triggered remotely.

Affected Systems

The affected product is Devs Palace ERP Online, versions up to 4.0.0. No specific sub‑versions are listed, but all deployments of the 4.0.0 and earlier releases that include the /inventory/purchase_save endpoint are potentially vulnerable. The vendor has not provided an explicit revision to mitigate the issue, and no additional version data is available.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate impact with limited scope. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that large‑scale exploitation is not currently evident. However, the publicly available exploit and the remote nature of the attack vector imply that any exposed instance could be triggered from the internet. Overall, the risk is moderate, warranting prompt mitigation even if the likelihood of widespread use remains uncertain.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Devs Palace

ERP Online

affected

Version	Status	Constraints
`4.0`	affected	—

No data.

Vendor Product Confidence Versions

Devs Palace

Erp Online

100%

Version	Status	Scheme	Platform
`4.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Devs Palace ERP Online to a version that includes the vendor’s patch or roll‑out the available fix for the /inventory/purchase_save input handling.
Implement a web application firewall or similar input‑validation layer to filter out scripts and sanitize user‑supplied data before it reaches the application.
Contact the vendor to confirm the release of a remediation and monitor official channels for a fix if none exists yet.

Generated by OpenCVE AI on May 11, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://olografix.org/acme/_poc/ERP_Online-POC1.gif
https://vuldb.com/submit/808277
https://vuldb.com/vuln/362550
https://vuldb.com/vuln/362550/cti

History

Mon, 11 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 11 May 2026 00:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Devs Palace Devs Palace erp Online
Vendors & Products		Devs Palace Devs Palace erp Online

Sun, 10 May 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in Devs Palace ERP Online up to 4.0.0. Affected by this vulnerability is an unknown functionality of the file /inventory/purchase_save. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Devs Palace ERP Online purchase_save cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://olografix.org/acme/_poc/ERP_Online-POC1.gif https://vuldb.com/submit/808277 https://vuldb.com/vuln/362550 https://vuldb.com/vuln/362550/cti
Metrics		cvssV2_0 `{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Devs Palace Erp Online

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-10T23:30:10.769Z

Updated: 2026-05-11T11:00:57.828Z

Reserved: 2026-05-10T14:41:48.254Z

Link: CVE-2026-8253

Vulnrichment

Updated: 2026-05-11T11:00:51.200Z

NVD

Status : Deferred

Published: 2026-05-11T00:16:33.590

Modified: 2026-05-11T15:08:09.893

Link: CVE-2026-8253

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-11T00:30:24Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object