Platform
php
Component
krayin/laravel-crm
Fixed in
2.2.1
CVE-2026-38527 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Webkul Krayin CRM. This flaw allows attackers to initiate requests to internal resources on behalf of the application, potentially exposing sensitive data or enabling unauthorized access. The vulnerability impacts versions of Krayin CRM up to and including 2.2.0. A patch is available in version 2.3.0.
The SSRF vulnerability in Webkul Krayin CRM allows an attacker to bypass security controls and make requests to internal services that are not directly accessible from the outside. This could involve scanning internal networks for open ports, accessing sensitive configuration files, or even interacting with internal APIs. Successful exploitation could lead to data exfiltration, privilege escalation, or further compromise of the underlying infrastructure. The ability to initiate requests on behalf of the application significantly expands the attack surface, potentially impacting other systems within the internal network. This vulnerability shares similarities with other SSRF exploits where internal services are inadvertently exposed.
CVE-2026-38527 was publicly disclosed on 2026-04-14. There is no indication of this vulnerability being actively exploited in the wild at this time. The EPSS score is currently pending evaluation. No public proof-of-concept (PoC) code has been released, but the SSRF nature of the vulnerability makes exploitation relatively straightforward for skilled attackers.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-38527 is to upgrade Webkul Krayin CRM to version 2.3.0 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing temporary workarounds. Restrict network access to the /settings/webhooks/create endpoint using a Web Application Firewall (WAF) or proxy server, blocking requests to internal IP addresses or sensitive internal services. Validate and sanitize all user-supplied input to prevent malicious URLs from being used in requests. Regularly review and update firewall rules to minimize the attack surface.
Update the Krayin CRM module to version 2.3.0 or higher to mitigate the SSRF vulnerability. This update addresses the inadequate validation of URLs provided in the /settings/webhooks/create component, thus preventing unauthorized access to internal resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-38527 is a Server-Side Request Forgery vulnerability in Webkul Krayin CRM versions up to 2.2.0, allowing attackers to scan internal resources.
If you are using Webkul Krayin CRM version 2.2.0 or earlier, you are potentially affected by this SSRF vulnerability.
Upgrade to Webkul Krayin CRM version 2.3.0 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround.
There is currently no evidence of active exploitation of CVE-2026-38527, but the SSRF nature makes it a potential target.
Please refer to the Webkul security advisory page for the latest information and updates regarding CVE-2026-38527.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.