- krayin
- crm
- rce
- cve
- file-upload
- laravel
news
Krayin CRM TinyMCE Upload RCE (CVE-2026-38526)
Sploitus-indexed authenticated PoC uploads PHP via /admin/tinymce/upload to public storage for www-data execution.
Summary
CVE-2026-38526 is a critical authenticated remote code execution vulnerability in Webkul Krayin CRM v2.2.x. The /admin/tinymce/upload endpoint accepts arbitrary file extensions without server-side validation, storing uploads on Laravel's public disk (storage/app/public → /storage/...). Authenticated users — including low-privilege roles per some analyses — can upload PHP webshells and execute them via direct HTTP GET. A PoC is indexed on Sploitus with CVSS 9.9.
OFFSITE.DARK cites Sploitus as index source; upstream PoC by NathanHimself.
Technical Details
| Aspect | Detail |
|---|---|
| CVE | CVE-2026-38526 |
| Endpoint | POST /admin/tinymce/upload |
| Weakness | CWE-434 unrestricted upload → CWE-94 code execution |
| Affected | Krayin CRM 2.2.x |
| Auth | Authenticated (any staff account per indexed research) |
| Execution context | Web server user (www-data typical) |
Root cause (indexed PoCs): getClientOriginalExtension() trusts client-supplied extensions; non-SVG uploads skip sanitizeSvg(); default FILESYSTEM_DISK=public with storage:link serves PHP directly.
Login (any valid staff user)
│
▼
POST PHP shell with spoofed image Content-Type
│
▼
Server returns public URL under /storage/
│
▼
GET URL → PHP interpreter executes payload
CVE
| Field | Value |
|---|---|
| CVE | CVE-2026-38526 |
| CVSS | 9.9 Critical |
| Sploitus date | 2026-06-24 |
| GitHub PoC | NathanHimself/CVE-2026-38526-PoC |
Impact
Authenticated RCE enables full CRM and host compromise — customer PII exfiltration, ransomware staging, and pivoting on shared hosting. Public PoC availability increases scan pressure against exposed Krayin instances.
Mitigation
- Apply vendor patch when available; verify Webkul security advisories.
- Disable PHP execution in
public/storageand upload directories. - Enforce extension allow-lists server-side; derive type from content, not client metadata.
- Serve uploads through authenticated download controllers, not direct public disk mapping.
- Restrict admin panel access by IP/VPN; monitor
/admin/tinymce/uploadfor non-image extensions.
Sources
- Sploitus — CVE-2026-38526 (index reference)
- GitHub PoC — NathanHimself