CVE-2026-38526
Webkul · Krayin CRM
An authenticated arbitrary file upload vulnerability in Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary PHP code.
Executive summary
An authenticated arbitrary file upload flaw in Webkul Krayin CRM allows an attacker with administrative access to execute malicious code, potentially leading to a full system compromise.
Vulnerability
This is an authenticated file upload vulnerability located at the /admin/tinymce/upload endpoint. It allows an authenticated administrator to upload crafted PHP files, which can then be executed by the server.
Business impact
While this requires administrative authentication (CVSS 9.9), the impact of remote code execution is total system compromise. This allows an attacker to gain persistent access, steal sensitive CRM data, and use the server as a pivot point for further internal network attacks.
Remediation
Immediate Action: Restrict access to the /admin/tinymce/upload endpoint and apply the latest security updates provided by Webkul.
Proactive Monitoring: Review administrative audit logs for any unusual file upload activity or the presence of unexpected files in the web directory.
Compensating Controls: Implement file extension filtering and content-type validation on the server to prevent the execution of unauthorized scripts.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
Although this vulnerability requires authenticated access, the risk remains critical due to the potential for complete server takeover. Organizations should audit all administrative accounts and ensure that software is updated to a version where file upload validation is properly enforced.