{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5370", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-01T18:56:23.688Z", "datePublished": "2026-04-02T17:30:14.701Z", "dateUpdated": "2026-04-03T18:12:16.825Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-02T17:30:14.701Z"}, "title": "krayin laravel-crm Activities Module/Notes inbox.spec.ts composeMail cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "krayin", "product": "laravel-crm", "versions": [{"version": "2.0", "status": "affected"}, {"version": "2.1", "status": "affected"}, {"version": "2.2", "status": "affected"}], "modules": ["Activities Module/Notes Module"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the function composeMail of the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts of the component Activities Module/Notes Module. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 73ed28d466bf14787fdb86a120c656a4af270153. To fix this issue, it is recommended to deploy a patch."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-04-01T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-01T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-02T07:39:50.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "DineshrajanSv (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "DineshrajanSv (VulDB User)", "type": "analyst"}], "references": [{"url": "https://vuldb.com/vuln/354756", "name": "VDB-354756 | krayin laravel-crm Activities Module/Notes inbox.spec.ts composeMail cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354756/cti", "name": "VDB-354756 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781666", "name": "Submit #781666 | Krayin Laravel CRM <= 2.1 (before patch in PR #2466) Cross Site Scripting (Stored XSS) \u2013 CWE-79", "tags": ["third-party-advisory"]}, {"url": "https://github.com/krayin/laravel-crm/issues/2419", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/krayin/laravel-crm/pull/2466", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/krayin/laravel-crm/commit/73ed28d466bf14787fdb86a120c656a4af270153", "tags": ["patch"]}, {"url": "https://github.com/krayin/laravel-crm/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T18:29:42.728345Z", "id": "CVE-2026-5370", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T18:12:16.825Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5370", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T18:29:42.728345Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T18:29:46.655Z"}}], "cna": {"tags": ["x_open-source"], "title": "krayin laravel-crm Activities Module/Notes inbox.spec.ts composeMail cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "DineshrajanSv (VulDB User)"}, {"lang": "en", "type": "analyst", "value": "DineshrajanSv (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "krayin", "modules": ["Activities Module/Notes Module"], "product": "laravel-crm", "versions": [{"status": "affected", "version": "2.0"}, {"status": "affected", "version": "2.1"}, {"status": "affected", "version": "2.2"}]}], "timeline": [{"lang": "en", "time": "2026-04-01T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-01T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-02T07:39:50.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/354756", "name": "VDB-354756 | krayin laravel-crm Activities Module/Notes inbox.spec.ts composeMail cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354756/cti", "name": "VDB-354756 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/781666", "name": "Submit #781666 | Krayin Laravel CRM <= 2.1 (before patch in PR #2466) Cross Site Scripting (Stored XSS) \u2013 CWE-79", "tags": ["third-party-advisory"]}, {"url": "https://github.com/krayin/laravel-crm/issues/2419", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/krayin/laravel-crm/pull/2466", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/krayin/laravel-crm/commit/73ed28d466bf14787fdb86a120c656a4af270153", "tags": ["patch"]}, {"url": "https://github.com/krayin/laravel-crm/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the function composeMail of the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts of the component Activities Module/Notes Module. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 73ed28d466bf14787fdb86a120c656a4af270153. To fix this issue, it is recommended to deploy a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-02T17:30:14.701Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5370", "state": "PUBLISHED", "dateUpdated": "2026-04-03T18:12:16.825Z", "dateReserved": "2026-04-01T18:56:23.688Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-02T17:30:14.701Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the function composeMail of the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts of the component Activities Module/Notes Module. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 73ed28d466bf14787fdb86a120c656a4af270153. To fix this issue, it is recommended to deploy a patch."}], "id": "CVE-2026-5370", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:35.343", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/krayin/laravel-crm/"}, {"source": "cna@vuldb.com", "url": "https://github.com/krayin/laravel-crm/commit/73ed28d466bf14787fdb86a120c656a4af270153"}, {"source": "cna@vuldb.com", "url": "https://github.com/krayin/laravel-crm/issues/2419"}, {"source": "cna@vuldb.com", "url": "https://github.com/krayin/laravel-crm/pull/2466"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/781666"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354756"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354756/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "laravel-crm", "source": "cna", "vendor": "krayin"}, "product": "laravel-crm", "vendor": "krayin"}], "analysis": {"en": {"generated_at": "2026-04-02T22:54:44.762047+00:00", "value": {"mitigation_remediation": ["Upgrade krayin/laravel-crm to the latest release (at least 2.3 or later).", "If an upgrade is not immediately feasible, apply the patch from commit\u202f73ed28d466bf14787fdb86a120c656a4af270153 to the composeMail component.", "Verify that all input fields in composeMail are sanitized and escape output appropriately.", "Review other parts of the application for similar input handling issues.", "Monitor application logs for suspicious XSS activity and keep the system patched."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is krayin\u2019s Laravel\u2011CRM, version 2.2 and earlier. The issue resides in the test code located at packages/Webkul/Admin/tests/e2e\u2011pw/tests/mail/inbox.spec.ts within the Activities Module/Notes. A patch was released in commit\u202f73ed28d466bf14787fdb86a120c656a4af270153, which removes the vulnerable processing of user input.", "description_and_impact": "A cross\u2011site scripting flaw exists in the composeMail function of the Activities Module/Notes component in krayin's Laravel\u2011CRM. The flaw allows an attacker to inject malicious script content that is subsequently rendered in the mailbox UI, enabling remote script execution in the victim\u2019s browser. This originates from insufficient sanitization of user input before display and falls under CWE\u201179 and CWE\u201194. Exploitation can compromise the confidentiality, integrity, and availability of the application by hijacking sessions, stealing credentials, defacing content, or executing arbitrary code on the client side. The vulnerability is present in all releases up to version 2.2.", "risk_and_exploitability": "The CVSS score is 5.1, indicating moderate severity, but the vulnerability is remotely exploitable and public exploits are available. Since EPSS data is not provided and it is not listed in the CISA KEV catalog, the likelihood of exploitation depends largely on attacker interest and the presence of the vulnerable version. Attackers can deliver the malicious payload through any interface that allows composing mail in the application, making the vector network\u2011based and requiring only a user to view a crafted page. Prompt remediation is essential to prevent XSS attacks."}}}}, "created": "2026-04-03T07:32:14.066176+00:00", "updated": "2026-04-03T09:17:19.587361+00:00", "vendors": ["krayin", "krayin$PRODUCT$laravel-crm"]}