CVE-2026-8255 - Vulnerability Details

- Devs Palace ERP Online add_new_customer cross site scripting

Description

A weakness has been identified in Devs Palace ERP Online up to 4.0.0. This affects an unknown part of the file /inventory/add_new_customer. This manipulation causes cross site scripting. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-05-11

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Devs Palace ERP Online allows an attacker to inject malicious script into an untrusted page, enabling the execution of arbitrary JavaScript on the browser of anyone who views that page. The vulnerability resides in an unspecified portion of the /inventory/add_new_customer endpoint and can be triggered remotely by submitting crafted input. Successful exploitation permits attackers to hijack user accounts, steal session data, or perform phishing actions that appear legitimate to the affected user.

Affected Systems

The issue affects Devs Palace ERP Online versions up to and including 4.0.0. The vulnerability applies to an undefined part of the /inventory/add_new_customer endpoint within these releases. No specific sub‑components or modules are named beyond the mentioned endpoint.

Risk and Exploitability

An exploit has been publicly released and can be launched remotely without authentication. The CVSS score of 4.8 indicates moderate severity; the EPSS score is not available, making it difficult to gauge current exploitation prevalence. The vulnerability is not listed in the CISA KEV catalog, and no widespread exploitation has been reported. Nonetheless, the remote nature of the attack and the ability to execute arbitrary client‑side code warrant immediate remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Devs Palace

ERP Online

affected

Version	Status	Constraints
`4.0`	affected	—

No data.

Vendor Product Confidence Versions

Devs Palace

Erp Online

100%

Version	Status	Scheme	Platform
`4.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any vendor‑supplied patch for Devs Palace ERP Online that fixes the XSS in /inventory/add_new_customer.
If a patch is not yet released, limit access to /inventory/add_new_customer to administrators or high‑privilege accounts only.
Implement server‑side input validation and output encoding so that any user‑supplied data is properly escaped before rendering.

Generated by OpenCVE AI on May 11, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00028.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://olografix.org/acme/_poc/ERP_Online-POC1.gif
https://vuldb.com/submit/808526
https://vuldb.com/vuln/362552
https://vuldb.com/vuln/362552/cti

History

Mon, 11 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 11 May 2026 01:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Devs Palace Devs Palace erp Online
Vendors & Products		Devs Palace Devs Palace erp Online

Mon, 11 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in Devs Palace ERP Online up to 4.0.0. This affects an unknown part of the file /inventory/add_new_customer. This manipulation causes cross site scripting. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Devs Palace ERP Online add_new_customer cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://olografix.org/acme/_poc/ERP_Online-POC1.gif https://vuldb.com/submit/808526 https://vuldb.com/vuln/362552 https://vuldb.com/vuln/362552/cti
Metrics		cvssV2_0 `{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Devs Palace Erp Online

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-11T00:00:19.440Z

Updated: 2026-05-11T14:30:18.137Z

Reserved: 2026-05-10T14:46:08.984Z

Link: CVE-2026-8255

Vulnrichment

Updated: 2026-05-11T14:30:03.878Z

NVD

Status : Deferred

Published: 2026-05-11T00:16:33.960

Modified: 2026-05-11T15:08:09.893

Link: CVE-2026-8255

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-11T02:00:07Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object