krayin/laravel-crm

GitHub

github.com

krayincrm.com

Releases32

Frequency1 month 3 weeks

Last Release 17 days ago

Stars22.6K

Free & Opensource Laravel CRM solution for SMEs and Enterprises for complete customer lifecycle management.

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-36341 ↗	May 7, 2026Thursday, 7 May 2026, 16:16	5.4 MEDIUM	—
Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint
CVE-2026-36340 ↗	Apr 30, 2026Thursday, 30 April 2026, 16:16	8.1 HIGH	—
An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function
CVE-2026-38526 ↗	Apr 14, 2026Tuesday, 14 April 2026, 16:16	9.9 CRITICAL	—
An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVE-2026-38527 ↗	Apr 14, 2026Tuesday, 14 April 2026, 16:16	8.5 HIGH	—
A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request.
CVE-2026-38528 ↗	Apr 14, 2026Tuesday, 14 April 2026, 16:16	7.1 HIGH	—
Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php.
CVE-2026-38529 ↗	Apr 14, 2026Tuesday, 14 April 2026, 16:16	8.8 HIGH	—
A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.
CVE-2026-38530 ↗	Apr 14, 2026Tuesday, 14 April 2026, 16:16	8.1 HIGH	—
A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.
CVE-2026-38532 ↗	Apr 14, 2026Tuesday, 14 April 2026, 16:16	8.1 HIGH	—
A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.
CVE-2026-5370 ↗	Apr 2, 2026Thursday, 2 April 2026, 18:16	3.5 LOW	4 MEDIUM
A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the function composeMail of the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts of the component Activities Module/Notes Module. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 73ed28d466bf14787fdb86a120c656a4af270153. To fix this issue, it is recommended to deploy a patch.
CVE-2021-41924 ↗	Jun 21, 2022Tuesday, 21 June 2022, 15:15	6.1 MEDIUM	4.3 MEDIUM
Webkul krayin crm before 1.2.2 is vulnerable to Cross Site Scripting (XSS).