CVE-2026-36340

HIGH

Krayin CRM 2.1.5 - Remote Code Execution

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-36340. PoCs published by cybercrewinc.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-36340, an RCE vulnerability in Krayin CRM v2.1.5. It explains how an authenticated attacker can upload malicious PHP files via the email composition feature, leading to remote code execution due to improper file validation and storage in a publicly accessible directory.

Description

An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function

Exploits (1)

github WRITEUP
by cybercrewinc · poc
https://github.com/cybercrewinc/CVE-2026-36340

This repository provides a detailed technical analysis of CVE-2026-36340, an RCE vulnerability in Krayin CRM v2.1.5. It explains how an authenticated attacker can upload malicious PHP files via the email composition feature, leading to remote code execution due to improper file validation and storage in a publicly accessible directory.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Krayin CRM v2.1.5
Auth required
Prerequisites: Authenticated access to Krayin CRM · Ability to upload files via the email composition feature
devstral-2 · analyzed Apr 30, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.1
EPSS 0.0010
EPSS Percentile 27.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (1)
krayin/laravel-crm 2.1.5 - 2.1.6Packagist
Published Apr 30, 2026
Tracked Since Apr 30, 2026