Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Webkul Krayin CRM Password Reset Exploit Allows Account Takeover
CVE-2026-38529
Summary
An attacker can reset any user's password and take control of their account in Webkul Krayin CRM if they are logged in. This is a serious security risk as an attacker could use this to access sensitive information or make changes to the system. Update to the latest version of Webkul Krayin CRM to fix this issue.
Original title
A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a ...
Original description
A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.
nvd CVSS3.1
8.8
Vulnerability type
CWE-269
Improper Privilege Management
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026