Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
Webkul Krayin CRM v2.2.x Allows Attackers to Delete Other Users' Leads
CVE-2026-38530
Summary
A security issue in Webkul Krayin CRM version 2.2.x allows anyone with a login to access, change, or delete leads from other users. This could let attackers erase valuable sales data or disrupt business operations. Update to the latest version to fix this, as a patch is available.
Original title
A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanent...
Original description
A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.
nvd CVSS3.1
8.1
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026