Krayin CRM v2.2.x: Authenticated Malicious File Upload Allows Code Execution

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.9

Krayin CRM v2.2.x: Authenticated Malicious File Upload Allows Code Execution

CVE-2026-38526

Summary

A security issue in Krayin CRM version 2.2.x allows authenticated users to upload malicious files, potentially allowing hackers to execute unauthorized code on the system. This could lead to system compromise or data theft. Update to the latest version of Krayin CRM to fix this issue.

Original title

An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file.

Original description

An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file.

nvd CVSS3.1 9.9

Vulnerability type

CWE-434 Unrestricted File Upload

Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026