{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/krayin-crm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.5,"id":"CVE-2026-38527"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-38527","ssrf","webkul","krayin-crm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-38527 details a Server-Side Request Forgery (SSRF) vulnerability affecting Webkul Krayin CRM version 2.2.x. The vulnerability is located in the \u003ccode\u003e/settings/webhooks/create\u003c/code\u003e component. An attacker can exploit this flaw by crafting a malicious POST request that forces the server to make requests to internal resources. This can be leveraged to scan internal network infrastructure, potentially revealing sensitive information or accessing internal services that are not meant to be exposed to the outside world. The vulnerability was published on April 14, 2026. Exploitation requires the attacker to be able to send POST requests to the affected endpoint.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Webkul Krayin CRM instance running version 2.2.x.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request targeting the \u003ccode\u003e/settings/webhooks/create\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a malicious payload in the body, designed to trigger an SSRF vulnerability. This payload could involve specifying a URL for the webhook to call back to.\u003c/li\u003e\n\u003cli\u003eThe vulnerable server processes the crafted POST request and attempts to create a new webhook.\u003c/li\u003e\n\u003cli\u003eThe server-side component incorrectly handles or sanitizes the URL provided for the webhook callback.\u003c/li\u003e\n\u003cli\u003eAs part of the webhook creation process, the server initiates an HTTP request to the attacker-controlled URL or internal resource specified in the crafted POST request.\u003c/li\u003e\n\u003cli\u003eThe server successfully connects to the specified resource, potentially revealing information about the internal network or services.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the response from the internal service or server to gather sensitive information, such as internal hostnames, open ports, or service versions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-38527) can allow an attacker to enumerate internal network resources, potentially identifying sensitive services and systems. This information can be used to further compromise the target environment, potentially leading to data breaches or system compromise. While the specific number of affected organizations is unknown, any organization using a vulnerable version of Webkul Krayin CRM is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the necessary patch or upgrade to a version of Webkul Krayin CRM that resolves CVE-2026-38527.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization on all user-supplied data, especially URLs, to prevent SSRF attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u003ccode\u003e/settings/webhooks/create\u003c/code\u003e endpoint, looking for unusual URLs or request patterns, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential SSRF attacks by restricting access to sensitive internal resources.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-krayin-crm-ssrf/","summary":"A Server-Side Request Forgery (SSRF) vulnerability in Webkul Krayin CRM v2.2.x allows attackers to scan internal resources by sending a crafted POST request to the /settings/webhooks/create endpoint.","title":"Webkul Krayin CRM SSRF Vulnerability (CVE-2026-38527)","url":"https://feed.craftedsignal.io/briefs/2026-04-krayin-crm-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-38528"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","cve-2026-38528","krayin-crm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eKrayin CRM v2.2.x is susceptible to a SQL injection vulnerability identified as CVE-2026-38528. The vulnerability resides in the \u003ccode\u003e/Lead/LeadDataGrid.php\u003c/code\u003e script, specifically within the \u003ccode\u003erotten_lead\u003c/code\u003e parameter. An attacker could exploit this vulnerability by injecting malicious SQL queries, potentially gaining unauthorized access to sensitive information stored within the CRM database. The CVSS v3.1 score is 7.1, indicating a high severity level. Successful exploitation requires a low level of privileges. This vulnerability was reported in April 2026 and could impact organizations using the affected Krayin CRM version, leading to data breaches and potential compromise of customer information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Krayin CRM v2.2.x instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting \u003ccode\u003e/Lead/LeadDataGrid.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe HTTP request includes a SQL injection payload within the \u003ccode\u003erotten_lead\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe Krayin CRM application processes the request without proper sanitization of the \u003ccode\u003erotten_lead\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe injected SQL query is executed against the CRM database.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves sensitive data from the database, such as customer details, user credentials, or financial information.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the compromised data for further malicious activities, such as identity theft or financial fraud.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability could lead to the unauthorized disclosure of sensitive customer data, financial records, and internal CRM data. This could result in significant financial losses, reputational damage, and legal repercussions for affected organizations. While the exact number of potential victims is unknown, any organization using Krayin CRM v2.2.x is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates from the vendor to address CVE-2026-38528.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003erotten_lead\u003c/code\u003e parameter within \u003ccode\u003e/Lead/LeadDataGrid.php\u003c/code\u003e to prevent SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Krayin CRM SQL Injection Attempt\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting \u003ccode\u003e/Lead/LeadDataGrid.php\u003c/code\u003e with potentially malicious SQL syntax.\u003c/li\u003e\n\u003cli\u003eImplement strong database access controls to limit the impact of successful SQL injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-krayin-sqli/","summary":"Krayin CRM v2.2.x is vulnerable to SQL injection via the rotten_lead parameter in /Lead/LeadDataGrid.php, potentially allowing attackers to read sensitive data.","title":"Krayin CRM v2.2.x SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-krayin-sqli/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-38529"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["bola","cve-2026-38529","krayin-crm","account-takeover"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-38529 describes a Broken Object-Level Authorization (BOLA) vulnerability affecting Webkul Krayin CRM version 2.2.x. The vulnerability resides in the \u003ccode\u003e/Settings/UserController.php\u003c/code\u003e endpoint. An authenticated attacker can exploit this flaw by sending a crafted HTTP request. Successful exploitation allows the attacker to arbitrarily reset the passwords of other users, leading to complete account takeover. Given the potential for widespread compromise and data breaches, this vulnerability poses a critical risk to organizations using the affected Krayin CRM version. Publicly available information regarding exploitation is available on GitHub.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the Krayin CRM application with valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/Settings/UserController.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request is designed to reset the password of a target user, specifying the target user\u0026rsquo;s ID.\u003c/li\u003e\n\u003cli\u003eDue to the BOLA vulnerability, the application fails to properly validate if the authenticated user has the authorization to modify the target user\u0026rsquo;s password.\u003c/li\u003e\n\u003cli\u003eThe application resets the target user\u0026rsquo;s password using the attacker-supplied data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the new password to log in to the target user\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control over the target user\u0026rsquo;s account and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-38529 allows attackers to compromise user accounts within a Webkul Krayin CRM v2.2.x instance. This can lead to unauthorized access to sensitive customer data, business records, and other confidential information. A successful attack could result in data breaches, financial loss, reputational damage, and legal liabilities. Given the potential for complete account takeover, the impact is considered critical for organizations using the vulnerable CRM.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a secure version of Krayin CRM that addresses CVE-2026-38529 as soon as it becomes available.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Krayin CRM Password Reset via UserController\u003c/code\u003e to detect exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eReview and enforce strict access control policies within the Krayin CRM application to prevent unauthorized modification of user accounts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the \u003ccode\u003e/Settings/UserController.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eEnable web server logging to capture detailed information about HTTP requests, including request parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T16:16:43Z","date_published":"2026-04-14T16:16:43Z","id":"/briefs/2026-04-krayin-bola/","summary":"CVE-2026-38529 is a Broken Object-Level Authorization (BOLA) vulnerability in Webkul Krayin CRM v2.2.x that allows authenticated attackers to reset user passwords and take over accounts.","title":"Webkul Krayin CRM BOLA Vulnerability (CVE-2026-38529)","url":"https://feed.craftedsignal.io/briefs/2026-04-krayin-bola/"}],"language":"en","title":"CraftedSignal Threat Feed — Krayin-Crm","version":"https://jsonfeed.org/version/1.1"}