CVE-2026-38526

Webkul · Krayin CRM

An authenticated arbitrary file upload vulnerability in Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary PHP code.

Executive summary

An authenticated arbitrary file upload flaw in Webkul Krayin CRM allows an attacker with administrative access to execute malicious code, potentially leading to a full system compromise.

Vulnerability

This is an authenticated file upload vulnerability located at the /admin/tinymce/upload endpoint. It allows an authenticated administrator to upload crafted PHP files, which can then be executed by the server.

Business impact

While this requires administrative authentication (CVSS 9.9), the impact of remote code execution is total system compromise. This allows an attacker to gain persistent access, steal sensitive CRM data, and use the server as a pivot point for further internal network attacks.

Remediation

Immediate Action: Restrict access to the /admin/tinymce/upload endpoint and apply the latest security updates provided by Webkul.

Proactive Monitoring: Review administrative audit logs for any unusual file upload activity or the presence of unexpected files in the web directory.

Compensating Controls: Implement file extension filtering and content-type validation on the server to prevent the execution of unauthorized scripts.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

Although this vulnerability requires authenticated access, the risk remains critical due to the potential for complete server takeover. Organizations should audit all administrative accounts and ensure that software is updated to a version where file upload validation is properly enforced.