CVE-2025-3568

LOW

Webkul Krayin CRM <= 2.1.0 - Cross-Site Scripting in SVG File Handler

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-3568. PoCs published by shellkraft.

AI-analyzed exploit summary This repository describes a privilege escalation vulnerability in Krayin CRM 2.1.0 via a malicious SVG file leveraging CSRF and XSS to steal admin tokens and change passwords.

Description

A vulnerability has been found in Webkul Krayin CRM up to 2.1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/settings/users/edit/ of the component SVG File Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor prepares a fix for the next major release and explains that he does not think therefore that this should qualify for a CVE.

Exploits (1)

nomisec WRITEUP

by shellkraft · poc

https://github.com/shellkraft/CVE-2025-3568

View Code ZIP pw:eip

This repository describes a privilege escalation vulnerability in Krayin CRM 2.1.0 via a malicious SVG file leveraging CSRF and XSS to steal admin tokens and change passwords.

Classification

Writeup 90%

Attack Type

Xss | Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Krayin CRM 2.1.0

Auth required

Prerequisites: Low-privileged user access · Admin interaction to open malicious SVG

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.304609

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.549591

Exploit, Third Party Advisory related

https://gist.github.com/shellkraft/a8b1f35d5c3ba313605065889563fb00

Exploit exploit

https://drive.google.com/file/d/1LMzZyCgloWquJRWzJAV2bpWMTuiMs6Xa/view?usp=sharing

Third Party Advisory, VDB Entry vdb-entry

https://vuldb.com/?id.304609

Scores

CVSS v3 3.5

EPSS 0.0033

EPSS Percentile 24.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79 CWE-94

Status published

Products (2)

webkul/krayin_crm 2.0.0

webkul/krayin_crm 2.1.0

Published Apr 14, 2025

Tracked Since Feb 18, 2026