Home / Vulnerability Intelligence / CVE-2026-36341

CVE-2026-36341 - Vulnerability Analysis

MediumCVSS: 5.4

Last Updated: May 7, 2026

Webkul Krayin CRM - Stored XSS

Published: May 7, 2026Updated: May 7, 2026PoC AvailableRemote Exploitable

Overview

Webkul Krayin CRM v2.1.5 contains a stored XSS vulnerability caused by failure to sanitize user input in the comment field during Activity creation on /admin/activities/create, letting attackers execute scripts, exploit requires no special privileges.

Severity & Score

Severity: Medium

CVSS Score: 5.4

Impact

Attackers can execute arbitrary scripts in users' browsers, potentially stealing session data or performing actions on behalf of users.

Mitigation

Update to the latest version of Webkul Krayin CRM.

References

https://github.com/krayin/laravel-crm/pull/2401
https://github.com/krayin/laravel-crm/releases/tag/v2.1.6
https://cyber.spool.co.jp/vulnerabilities/cve-2026-36341/
https://drive.google.com/file/d/1Y_WjD4Tiq_z7zQUlddFCFMDoyyN300r9/view
https://github.com/cybercrewinc/CVE-2026-36341

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-36341
Severity: Medium
CVSS Score: 5.4
Type: stored_xss
Status: rejected

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N