Description
A vulnerability was identified in Devs Palace ERP Online up to 4.0.0. This impacts an unknown function of the file /accounts/chart-save. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-11
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a cross‑site scripting flaw in the /accounts/chart‑save function of Devs Palace ERP Online up to version 4.0.0. It allows a remote attacker to inject malicious script content that is reflected back to the victim’s browser when the function processes input. The official description does not mention any further consequences beyond the execution of the injected script.

Affected Systems

All installations of Devs Palace ERP Online version 4.0.0 or earlier are affected. The flaw exists in the /accounts/chart‑save endpoint and was confirmed by publicly available proof‑of‑concept resources.

Risk and Exploitability

The CVSS of 4.8 represents a moderate severity. EPSS is not available, so the likelihood of widespread exploitation cannot be determined. The vulnerability is publicly documented and exploit code is openly available. Because the vendor has not issued a fix, the flaw remains exploitable from any remote source that can reach the affected endpoint. It is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 11, 2026 at 04:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Devs Palace ERP Online vendor website for an updated release that addresses the cross‑site scripting issue in /accounts/chart‑save, or wait for an official patch.
  • Deploy a Web Application Firewall or custom input validation rules that block or sanitize script content submitted to /accounts/chart‑save.
  • Enable logging and monitor application logs for unusual POST requests to /accounts/chart‑save and signs that embedded scripts are being delivered to browsers.
  • Implement a Content Security Policy that restricts the execution of inline scripts from untrusted sources to reduce the impact of any XSS payloads that may still reach user browsers.

Generated by OpenCVE AI on May 11, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Devs Palace
Devs Palace erp Online
Vendors & Products Devs Palace
Devs Palace erp Online

Mon, 11 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Devs Palace ERP Online up to 4.0.0. This impacts an unknown function of the file /accounts/chart-save. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Devs Palace ERP Online chart-save cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Devs Palace Erp Online
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-11T14:04:21.291Z

Reserved: 2026-05-10T15:26:18.605Z

Link: CVE-2026-8262

cve-icon Vulnrichment

Updated: 2026-05-11T14:04:17.896Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T02:16:27.930

Modified: 2026-05-11T15:08:09.893

Link: CVE-2026-8262

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T04:30:27Z

Weaknesses