CVE-2026-7782

MEDIUM

CodeCanyon Perfex CRM Tenant Clients.php project authorization

Title source: cna

Description

A vulnerability was detected in CodeCanyon Perfex CRM up to 3.4.1. This affects the function Clients::project of the file application/controllers/Clients.php of the component Tenant Handler. The manipulation of the argument ID results in authorization bypass. The attack may be performed from remote. The exploit is now public and may be used.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-360979 | CodeCanyon Perfex CRM Tenant Clients.php project authorization

https://vuldb.com/vuln/360979

Signature, Permissions Required signature permissions-required

VDB-360979 | CTI Indicators (IOB, IOC, IOA)

https://vuldb.com/vuln/360979/cti

Third Party Advisory third-party-advisory

Submit #807683 | Canyon Perfex CRM CRM 3.4.1 Improper Authorization

https://vuldb.com/submit/807683

Exploit exploit

https://bytium.com/insights/perfex-crm-3-4-1-cross-tenant-broken-access-control-on-project-discussion-comments

Scores

CVSS v3 6.3

EPSS 0.0021

EPSS Percentile 11.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-285 CWE-639

Status published

Products (2)

CodeCanyon/Perfex CRM 3.4.0

CodeCanyon/Perfex CRM 3.4.1

Published May 04, 2026

Tracked Since May 05, 2026