CVE-2026-5370

medium

Description

A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the function composeMail of the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts of the component Activities Module/Notes Module. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 73ed28d466bf14787fdb86a120c656a4af270153. To fix this issue, it is recommended to deploy a patch.

References

https://vuldb.com/vuln/354756/cti

https://vuldb.com/vuln/354756

https://vuldb.com/submit/781666

https://github.com/krayin/laravel-crm/pull/2466

https://github.com/krayin/laravel-crm/issues/2419

https://github.com/krayin/laravel-crm/commit/73ed28d466bf14787fdb86a120c656a4af270153

https://github.com/krayin/laravel-crm/

Details

Source: Mitre, NVD

Published: 2026-04-02

Updated: 2026-04-29

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 3.5

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Severity: Low

CVSS v4

Base Score: 5.1

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Severity: Medium

EPSS

EPSS: 0.00034