Plateforme
php
Composant
krayin/laravel-crm
Corrigé dans
2.0.1
2.1.1
2.2.1
2.2.1
CVE-2026-5370 describes a Cross-Site Scripting (XSS) vulnerability discovered in the krayin/laravel-crm component, affecting versions up to 2.2.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user data and session integrity. A publicly available exploit exists, increasing the risk of exploitation. Applying the provided patch is the recommended solution.
Successful exploitation of CVE-2026-5370 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the application. The vulnerability resides within the composeMail function of the packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts file, specifically within the Activities Module/Notes Module. Given the availability of a public exploit, the potential for widespread exploitation is significant, particularly in environments where the component is deployed without proper input sanitization.
CVE-2026-5370 is a publicly disclosed vulnerability with a readily available proof-of-concept. The availability of this exploit significantly increases the likelihood of exploitation, especially given the component's use in various Laravel-based CRM applications. While the CVSS score is LOW, the ease of exploitation and potential impact warrant immediate attention. The vulnerability was published on 2026-04-02.
Organizations using krayin/laravel-crm in their CRM systems, particularly those relying on the Activities Module or Notes Module, are at risk. Shared hosting environments where multiple applications share the same server resources are also at increased risk, as a compromised application could potentially impact other tenants.
• php: Examine application logs for unusual JavaScript execution patterns or error messages related to the Activities Module/Notes Module.
• generic web: Use curl or wget to test the composeMail endpoint with various payloads and observe the response for signs of script execution. curl -X POST -d 'alert("XSS")' <laravel-crm-url>/activities/notes/composeMail
disclosure
Statut de l'Exploit
EPSS
0.03% (percentile 10%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-5370 is to immediately apply the provided patch (73ed28d466bf14787fdb86a120c656a4af270153). This patch addresses the underlying vulnerability by implementing proper input sanitization to prevent malicious script injection. If applying the patch is not immediately feasible due to compatibility issues or downtime constraints, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious requests targeting the composeMail function. Thoroughly test any WAF rules before deploying them to production to avoid disrupting legitimate traffic. After applying the patch, confirm the fix by attempting to inject a simple JavaScript payload through the affected function and verifying that it is properly sanitized.
Il est recommandé d'appliquer le correctif fourni par le fournisseur (73ed28d466bf14787fdb86a120c656a4af270153) pour corriger la vulnérabilité de Cross-Site Scripting (XSS) dans le module Activités/Notes de krayin laravel-crm. Alternativement, vous pouvez mettre à jour vers une version qui incorpore cette correction.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-5370 is an XSS vulnerability in krayin/laravel-crm versions up to 2.2.0, allowing attackers to inject malicious scripts. It impacts the composeMail function and has a LOW severity rating.
You are affected if you are using krayin/laravel-crm version 2.2.0 or earlier. Check your project dependencies to determine if you are using a vulnerable version.
Apply the provided patch (73ed28d466bf14787fdb86a120c656a4af270153) to upgrade your krayin/laravel-crm component to a patched version.
A public proof-of-concept exists, indicating a high likelihood of active exploitation. Prompt mitigation is recommended.
Refer to the krayin/laravel-crm repository or related security advisories for the official announcement and details regarding CVE-2026-5370.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.