Jeremy Erazo (trexnegr0) - Security Researcher - Exploit Intelligence Platform

CVE-2026-38526 WRITEUP CRITICAL WRITEUP

Webkul Krayin CRM 2.2.x - Authenticated RCE

An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file.

CVSS 9.9

View Code

CVE-2026-38527 WRITEUP HIGH WRITEUP

Webkul Krayin CRM 2.2.x - SSRF

A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request.

CVSS 8.5

View Code

CVE-2026-38528 WRITEUP HIGH WRITEUP

Krayin CRM v2.2.x - SQL Injection

Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php.

CVSS 7.1

View Code

CVE-2026-38529 WRITEUP HIGH WRITEUP

Webkul Krayin CRM 2.2.x - Auth Bypass

A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.

CVSS 8.8

View Code

CVE-2026-38530 WRITEUP HIGH WRITEUP

Webkul Krayin CRM 2.2.x - BOLA

A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.

CVSS 8.1

View Code

CVE-2026-38532 WRITEUP HIGH WRITEUP

Webkul Krayin CRM 2.2.x - Auth Bypass

A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.

CVSS 8.1

View Code

CVE-2026-38533 WRITEUP MEDIUM WRITEUP

Snipe-IT 8.4.0 - Privilege Escalation

An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request.

CVSS 6.5

View Code