cybercrewinc

6 exploits Active since Nov 2025
CVE-2026-36341 NOMISEC MEDIUM WRITEUP
Krayin Laravel CRM 2.1.5 - Stored Cross-Site Scripting in Activity Comment Field
Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint
CVSS 5.4
CVE-2026-36340 GITHUB HIGH WRITEUP
Krayin CRM 2.1.5 - Remote Code Execution
An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function
CVSS 8.1
CVE-2025-63588 NOMISEC HIGH WORKING POC
CMSimpleXH - Unauthenticated Reflected Cross-Site Scripting via Query Handling
An unauthenticated reflected cross-site scripting vulnerability in the query handling of CMSimpleXH allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a crafted request (e.g., a maliciously crafted POST login). Successful exploitation may lead to theft of session cookies, credential disclosure, or other client-side impacts.
CVSS 7.1
CVE-2025-63589 NOMISEC HIGH WORKING POC
CMSimple_XH 1.8 - Reflected Cross-Site Scripting via URL Path Segments
A reflected XSS vulnerability exists in CMSimple_XH 1.8's index.php router when attacker-controlled path segments are not sanitized or encoded before being inserted into the generated HTML (navigation links, breadcrumbs, search form action, footer links). An attacker-controlled string placed in the URL path is reflected into multiple HTML elements, allowing execution of arbitrary JavaScript in victims' browsers visiting a crafted URL.
CVSS 7.1
CVE-2025-64027 NOMISEC MEDIUM WORKING POC
Snipe-IT v8.3.4 - Authenticated Reflected Cross-Site Scripting via CSV Import Progress Message
Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progress_message value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the POST /livewire/update request to inject arbitrary HTML or JavaScript into the progress_message. Because the server accepts the modified input without sanitization and reflects it back to the user, arbitrary JavaScript executes in the browser of any authenticated admin who views the import page. NOTE: this is disputed by the Supplier because the report only demonstrates that an authenticated user can choose to conduct a man-in-the-middle attack against himself.
CVSS 6.1
CVE-2026-36341 WRITEUP MEDIUM WRITEUP
Krayin Laravel CRM 2.1.5 - Stored Cross-Site Scripting in Activity Comment Field
Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint
CVSS 5.4