Description
A security flaw has been discovered in Devs Palace ERP Online up to 4.0.0. Affected by this issue is some unknown functionality of the file /inventory/sales_save. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-10
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a remote cross‑site scripting (XSS) vulnerability found in Devs Palace ERP Online's /inventory/sales_save endpoint. Attackers can inject arbitrary JavaScript by manipulating this functionality. The resulting execution runs in the victim’s browser with the context of the ERP, which can be used to steal session cookies, hijack accounts, deface pages, or deliver malware. The CVE description notes that the exploit has been publicly released and can be launched remotely.

Affected Systems

The affected product is Devs Palace ERP Online, versions up to and including 4.0.0. All releases before the fix contain the vulnerable sales_save code. No sub‑version details were supplied, so any deployment of 4.0.0 or earlier is potentially exposed.

Risk and Exploitability

The CVSS score of 4.8 places the issue in the moderate severity range. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attacker’s vector is remote via a crafted request to the sales_save page. Since the flaw permits the injection of arbitrary client‑side scripts, the risk to confidentiality, integrity, and availability is significant if an attacker successfully deceives an authenticated stakeholder into loading a malicious page.

Generated by OpenCVE AI on May 11, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 4.1.0 or later if available
  • Implement input validation and sanitization for all fields processed by /inventory/sales_save
  • Configure a Content Security Policy that restricts the execution of third‑party scripts

Generated by OpenCVE AI on May 11, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Devs Palace
Devs Palace erp Online
Vendors & Products Devs Palace
Devs Palace erp Online

Mon, 11 May 2026 00:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Devs Palace ERP Online up to 4.0.0. Affected by this issue is some unknown functionality of the file /inventory/sales_save. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Devs Palace ERP Online sales_save cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Devs Palace Erp Online
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-11T08:04:05.648Z

Reserved: 2026-05-10T14:41:50.816Z

Link: CVE-2026-8254

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-11T00:16:33.770

Modified: 2026-05-11T15:08:09.893

Link: CVE-2026-8254

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T01:30:25Z

Weaknesses