Platform
php
Component
krayin/laravel-crm
Fixed in
2.0.1
2.1.1
2.2.1
2.2.1
CVE-2026-5370 describes a Cross-Site Scripting (XSS) vulnerability discovered in the krayin/laravel-crm component, affecting versions up to 2.2.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user data and session integrity. A publicly available exploit exists, increasing the risk of exploitation. Applying the provided patch is the recommended solution.
Successful exploitation of CVE-2026-5370 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the application. The vulnerability resides within the composeMail function of the packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts file, specifically within the Activities Module/Notes Module. Given the availability of a public exploit, the potential for widespread exploitation is significant, particularly in environments where the component is deployed without proper input sanitization.
CVE-2026-5370 is a publicly disclosed vulnerability with a readily available proof-of-concept. The availability of this exploit significantly increases the likelihood of exploitation, especially given the component's use in various Laravel-based CRM applications. While the CVSS score is LOW, the ease of exploitation and potential impact warrant immediate attention. The vulnerability was published on 2026-04-02.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5370 is to immediately apply the provided patch (73ed28d466bf14787fdb86a120c656a4af270153). This patch addresses the underlying vulnerability by implementing proper input sanitization to prevent malicious script injection. If applying the patch is not immediately feasible due to compatibility issues or downtime constraints, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious requests targeting the composeMail function. Thoroughly test any WAF rules before deploying them to production to avoid disrupting legitimate traffic. After applying the patch, confirm the fix by attempting to inject a simple JavaScript payload through the affected function and verifying that it is properly sanitized.
Se recomienda aplicar el parche proporcionado por el proveedor (73ed28d466bf14787fdb86a120c656a4af270153) para corregir la vulnerabilidad de Cross-Site Scripting (XSS) en el módulo de Actividades/Notas de krayin laravel-crm. Alternativamente, se puede actualizar a una versión que incorpore esta corrección.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5370 is an XSS vulnerability in krayin/laravel-crm versions up to 2.2.0, allowing attackers to inject malicious scripts. It impacts the composeMail function and has a LOW severity rating.
You are affected if you are using krayin/laravel-crm version 2.2.0 or earlier. Check your project dependencies to determine if you are using a vulnerable version.
Apply the provided patch (73ed28d466bf14787fdb86a120c656a4af270153) to upgrade your krayin/laravel-crm component to a patched version.
A public proof-of-concept exists, indicating a high likelihood of active exploitation. Prompt mitigation is recommended.
Refer to the krayin/laravel-crm repository or related security advisories for the official announcement and details regarding CVE-2026-5370.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.