CVE-2026-36341

MEDIUM

Krayin Laravel CRM 2.1.5 - Stored Cross-Site Scripting in Activity Comment Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-36341. PoCs published by cybercrewinc.

AI-analyzed exploit summary The repository provides a detailed technical analysis of an XSS vulnerability in Webkul Krayin CRM, including impact, recommendations, and references to patches. It lacks functional exploit code but includes screenshots and a video PoC demonstrating HTML injection in the admin panel.

Description

Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint

Exploits (1)

nomisec WRITEUP
by cybercrewinc · poc
https://github.com/cybercrewinc/CVE-2026-36341

The repository provides a detailed technical analysis of an XSS vulnerability in Webkul Krayin CRM, including impact, recommendations, and references to patches. It lacks functional exploit code but includes screenshots and a video PoC demonstrating HTML injection in the admin panel.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Webkul Krayin CRM (v2.1.6 and prior)
Auth required
Prerequisites: Access to create or edit 'Call' or 'Meeting' logs in the CRM
devstral-2 · analyzed May 09, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 5.4
EPSS 0.0004
EPSS Percentile 11.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
krayin/laravel-crm 2.1.5 - 2.1.6Packagist
Published May 07, 2026
Tracked Since May 07, 2026