Server-Side Request Forgery in Webkul Krayin CRM
CVE-2026-38527

8.5HIGH

Key Information:

Vendor: Webkul
Status: Krayin CRM
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-38527?

A server-side request forgery vulnerability exists in the /settings/webhooks/create component of Webkul's Krayin CRM version 2.2.x. This issue can be exploited by attackers who send a specially crafted POST request, allowing them to scan and potentially access internal resources that should otherwise be protected. Organizations using this software must review configurations and consider implementing safeguards to prevent potential exploitation.

References

https://github.com/krayin/laravel-crm

https://github.com/TREXNEGRO/Security-Advisories/tree/mai...

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-38527 Data

JSON