CVE-2026-38526

Name of the Vulnerable Software and Affected Versions Webkul Krayin CRM versions 2.2.x

Description An authenticated arbitrary file upload issue exists in the '/admin/tinymce/upload' endpoint. This allows authenticated attackers to upload a crafted PHP file, which can lead to remote code execution and full system compromise. Approximately 2,700 services are estimated to be affected worldwide.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Restrict access to the '/admin/tinymce/upload' endpoint to minimize the risk of exploitation.