CVE-2026-36341
MEDIUM5.4EPSS 0.03%Webkul Krayin CRM is Vulnerable to Cross-Site Scripting in the /admin/activities/create endpoint
Published: 5/7/2026Modified: 5/12/2026
Description
Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint
Affected packages (1)
- Packagist/krayin/laravel-crm>= 2.1.5, < 2.1.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-36341
- PATCHhttps://github.com/krayin/laravel-crm
- WEBhttps://cyber.spool.co.jp/vulnerabilities/cve-2026-36341
- WEBhttps://drive.google.com/file/d/1Y_WjD4Tiq_z7zQUlddFCFMDoyyN300r9/view
- WEBhttps://github.com/cybercrewinc/CVE-2026-36341
- WEBhttps://github.com/krayin/laravel-crm/commit/fc467040de21803cb2b67c2229d2dfcf731d2d3e
- WEBhttps://github.com/krayin/laravel-crm/pull/2401
- WEBhttps://github.com/krayin/laravel-crm/releases/tag/v2.1.6