CVE-2019-10226

MEDIUM

Fat Free CRM v0.19.0 - HTML Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-10226. PoCs published by Ismail Tasdelen.

AI-analyzed exploit summary This exploit demonstrates an HTML injection vulnerability in Fat Free CRM v0.19.0 by sending a crafted POST request to the comments endpoint, injecting arbitrary HTML content into the comment field.

Description

HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is a XSS protection mechanism.

Exploits (1)

exploitdb WORKING POC
by Ismail Tasdelen · textwebappsruby
https://www.exploit-db.com/exploits/46617

This exploit demonstrates an HTML injection vulnerability in Fat Free CRM v0.19.0 by sending a crafted POST request to the comments endpoint, injecting arbitrary HTML content into the comment field.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Fat Free CRM v0.19.0
Auth required
Prerequisites: Valid session cookie · CSRF token · Access to the comments endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 5.4
EPSS 0.0236
EPSS Percentile 85.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
fatfreecrm/fat_free_crm 0.19.0
rubygems/fat_free_crm 0RubyGems
Published Jun 10, 2019
Tracked Since Feb 18, 2026