EXECUTIVE SUMMARY:
CVE-2026-38526 with a CVSS score of 10 is a critical Remote Code Execution (RCE) vulnerability affecting Krayin CRM version 2.2.x, a popular open-source framework built on Laravel and Vue.js. The issue lies within the integration of the TinyMCE rich-text editor, where the media upload endpoint at /admin/tinymce/upload fails to implement fundamental security checks on the files it receives, such as no MIME type validation, no file extension validation, and insecure storage. An attacker with any valid user account can exploit this vulnerability by sending a POST request to the TinyMCE upload endpoint containing a file with a .php extension and malicious shell code, allowing them to seize total control of the server through RCE. The attacker gains the capability to execute malicious payloads within the context of the web server process, posing a significant threat to the server and its data. The business impact is significant, as an exploited vulnerability can lead to data breaches, system compromise, and reputational damage, with consequences including financial losses, regulatory penalties, and loss of customer trust. Prerequisites for exploitation include a valid user account and the ability to send a POST request to the affected endpoint.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-38526 with a CVSS score of 10 is a critical Remote Code Execution (RCE) vulnerability affecting Krayin CRM version 2.2.x, a popular open-source framework built on Laravel and Vue.js. The issue lies within the integration of the TinyMCE rich-text editor, where the media upload endpoint at /admin/tinymce/upload fails to implement fundamental security checks on the files it receives, such as no MIME type validation, no file extension validation, and insecure storage. An attacker with any valid user account can exploit this vulnerability by sending a POST request to the TinyMCE upload endpoint containing a file with a .php extension and malicious shell code, allowing them to seize total control of the server through RCE. The attacker gains the capability to execute malicious payloads within the context of the web server process, posing a significant threat to the server and its data. The business impact is significant, as an exploited vulnerability can lead to data breaches, system compromise, and reputational damage, with consequences including financial losses, regulatory penalties, and loss of customer trust. Prerequisites for exploitation include a valid user account and the ability to send a POST request to the affected endpoint.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update Krayin CRM to version 2.2.x.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/krayin-crm-rce-vulnerability-cve-2026-38526-fix/