CVE-2026-38526NVD

Vulnerability Summary

An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file.

Severity Level

CRITICAL(9.9)

Published Date

Apr 14, 2026

Last Modified

Apr 17, 2026

Exploitation Status

No confirmed exploitation yet

EPSS Score (30-Day)

0.07%Probability

Root Weakness (CWE)

CWE-434: Unrestricted File Upload ↗

The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

ScopeChanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

External References

https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38526
https://github.com/krayin/laravel-crm
https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2026-38526/poc.md