{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-38527", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T17:36:59.813Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-14T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T15:13:06.128Z"}, "descriptions": [{"lang": "en", "value": "A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/krayin/laravel-crm"}, {"url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38527"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:H/I:L/PR:L/S:C/UI:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T17:36:52.240969Z", "id": "CVE-2026-38527", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T17:36:59.813Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-38527", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T17:36:52.240969Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T17:35:48.366Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:H/I:L/PR:L/S:C/UI:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/krayin/laravel-crm"}, {"url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38527"}], "descriptions": [{"lang": "en", "value": "A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T15:13:06.128Z"}}}, "cveMetadata": {"cveId": "CVE-2026-38527", "state": "PUBLISHED", "dateUpdated": "2026-04-14T17:36:59.813Z", "dateReserved": "2026-04-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-14T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request."}], "id": "CVE-2026-38527", "lastModified": "2026-04-17T15:33:34.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-14T16:16:43.270", "references": [{"source": "cve@mitre.org", "url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38527"}, {"source": "cve@mitre.org", "url": "https://github.com/krayin/laravel-crm"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.2.0,3.0.0)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "laravel-crm", "vendor": "krayin"}], "analysis": {"en": {"generated_at": "2026-04-14T16:26:14.888650+00:00", "value": {"mitigation_remediation": ["Update to the latest version of Webkul Krayin CRM once a patch addressing the SSRF is released.", "Restrict the /settings/webhooks/create endpoint so that only authenticated administrators can access it, and enforce whitelist validation on the target URLs.", "Disable outbound RPC or internal service calls that are not required for the webhook functionality.", "Monitor application logs for anomalous POST requests to the webhook endpoint and promptly investigate any suspicious activity."], "summary": {"action": "Patch", "impact": "Internal Resource Exposure"}, "threat_synthesis": {"affected_systems": "Webkul Krayin CRM, specifically version 2.2.x, is affected by this SSRF. The vulnerability resides in the webhook creation component and can be triggered by any user able to submit a POST request to the /settings/webhooks/create endpoint.", "description_and_impact": "An SSRF flaw exists in the /settings/webhooks/create route of Webkul Krayin CRM version 2.2.x. A request crafted with a malicious payload can cause the server to fetch arbitrary URLs, enabling an attacker to probe internal network services. This could lead to the disclosure of internal resources or further exploitation if those services have vulnerabilities, compromising confidentiality and potentially availability if service disruption occurs.", "risk_and_exploitability": "With a CVSS base score of 8.5, this issue is classified as high risk. The potential for exploitation is significant because the flaw can be triggered over the network, likely without authentication if access to the webhook creation page is public. While the EPSS score is not available, the absence of an entry in the KEV catalog does not reduce the likelihood of exploitation; the flaw is sufficient to allow internal reconnaissance and possibly launch persistence or privilege escalation attacks against exposed services. No patch is currently available via the vendor, so the vulnerability remains exploitable until remedial action is taken."}}}}, "created": "2026-04-14T16:31:39.426793+00:00", "title": "Server-Side Request Forgery in Webkul Krayin CRM Webhooks Endpoint Enables Internal Network Discovery", "updated": "2026-04-15T21:03:10.200083+00:00", "vendors": ["krayin", "krayin$PRODUCT$laravel-crm"], "weaknesses": ["CWE-918"]}