Cross-Site Scripting Vulnerability in Devs Palace ERP Online
CVE-2026-8220

4.8MEDIUM

Key Information:

Vendor

Devs Palace

Status
Erp Online
Vendor
CVE Published:
10 May 2026

Badges

👾 Exploit Exists

What is CVE-2026-8220?

A cross-site scripting vulnerability has been discovered in Devs Palace ERP Online, affecting versions up to 4.0.0. The issue arises from an unknown function within the /inventory/customer-save file, allowing for the manipulation of data sent to the user’s browser. This security flaw is particularly concerning as it can be exploited remotely, enabling attackers to execute malicious scripts in the context of a user's session. Publicly available exploit information raises alarm, especially since the vendor has not acknowledged or addressed this significant security threat.

Affected Version(s)

ERP Online 4.0

References

https://vuldb.com/vuln/362437
vdb-entry
https://vuldb.com/vuln/362437/cti
signaturepermissions-required
https://vuldb.com/submit/808261
third-party-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Andrea Intilangelo
acme (VulDB User)
acme (VulDB User)
VulDB CNA Team
.