Search criteria
1 vulnerability by krayin
CVE-2026-5370 (GCVE-0-2026-5370)
Vulnerability from cvelistv5 – Published: 2026-04-02 17:30 – Updated: 2026-04-03 18:12 X_Open Source
VLAI
Title
krayin laravel-crm Activities Module/Notes inbox.spec.ts composeMail cross site scripting
Summary
A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the function composeMail of the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts of the component Activities Module/Notes Module. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 73ed28d466bf14787fdb86a120c656a4af270153. To fix this issue, it is recommended to deploy a patch.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/354756 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/354756/cti | signaturepermissions-required |
| https://vuldb.com/submit/781666 | third-party-advisory |
| https://github.com/krayin/laravel-crm/issues/2419 | exploitissue-tracking |
| https://github.com/krayin/laravel-crm/pull/2466 | issue-trackingpatch |
| https://github.com/krayin/laravel-crm/commit/73ed… | patch |
| https://github.com/krayin/laravel-crm/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| krayin | laravel-crm |
Affected:
2.0
Affected: 2.1 Affected: 2.2 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5370",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T18:29:42.728345Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T18:12:16.825Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Activities Module/Notes Module"
],
"product": "laravel-crm",
"vendor": "krayin",
"versions": [
{
"status": "affected",
"version": "2.0"
},
{
"status": "affected",
"version": "2.1"
},
{
"status": "affected",
"version": "2.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "DineshrajanSv (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "DineshrajanSv (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the function composeMail of the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts of the component Activities Module/Notes Module. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 73ed28d466bf14787fdb86a120c656a4af270153. To fix this issue, it is recommended to deploy a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T17:30:14.701Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354756 | krayin laravel-crm Activities Module/Notes inbox.spec.ts composeMail cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354756"
},
{
"name": "VDB-354756 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354756/cti"
},
{
"name": "Submit #781666 | Krayin Laravel CRM \u003c= 2.1 (before patch in PR #2466) Cross Site Scripting (Stored XSS) \u2013 CWE-79",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/781666"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/krayin/laravel-crm/issues/2419"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/krayin/laravel-crm/pull/2466"
},
{
"tags": [
"patch"
],
"url": "https://github.com/krayin/laravel-crm/commit/73ed28d466bf14787fdb86a120c656a4af270153"
},
{
"tags": [
"product"
],
"url": "https://github.com/krayin/laravel-crm/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-04-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-01T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-02T07:39:50.000Z",
"value": "VulDB entry last update"
}
],
"title": "krayin laravel-crm Activities Module/Notes inbox.spec.ts composeMail cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5370",
"datePublished": "2026-04-02T17:30:14.701Z",
"dateReserved": "2026-04-01T18:56:23.688Z",
"dateUpdated": "2026-04-03T18:12:16.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}