CVE-2026-38530

CVSS 8.1 HIGHEPSS 0.4%CWE-639

A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.

CVSS:3.1/AC:L/AV:N/A:N/C:H/I:H/PR:L/S:U/UI:N

Produtos afetados

n/a · n/a

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/krayin/laravel-crm https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38530