CVE-2026-38530

Name of the Vulnerable Software and Affected Versions Webkul Krayin CRM versions 2.2.x

Description A Broken Object-Level Authorization (BOLA) exists in the '/Controllers/Lead/LeadController.php' endpoint. This allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users by supplying a crafted GET request.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.