CVE-2026-38526

CVSS 9.9 CRITICALEPSS 0.8%CWE-434

An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file.

CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N

Affected products

n/a · n/a

public PoCs found — 3

githubgithub.com/NathanHimself/CVE-2026-38526-PoC★ 2 githubgithub.com/pawpic/CVE-2026-38526-POC★ 0 cve_referencegithub.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2026-38526/poc.mdunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/krayin/laravel-crm https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2026-38526/poc.md https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38526