ACCORDING to SOCRadar, CVE-2026-38526 is a critical authenticated remote code execution vulnerability affecting Webkul Krayin CRM / Krayin Laravel CRM v2.2.x, located in the admin-side TinyMCE media upload feature and enabling a logged-in user to upload a server-executable file such as PHP and execute it via a normal web request. The vulnerability is described as an authenticated arbitrary file upload with a high CVSS score of 9.9 (CVE-3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
The exposed endpoint is POST /admin/tinymce/upload, which accepts media uploads for the admin UI and reportedly lacks a strict allowlist for safe file types. A public PoC exploit is available on GitHub, and there is no confirmed exploitation in the wild or threat actor attribution tied to CVE-2026-38526, though threat actors have started circulating the exploit in Dark Web forums.
For Krayin CRM v2.2.x, the immediate guidance emphasises restricting access to the upload endpoint, disabling PHP execution in upload directories, and monitoring for related activity until a fixed version is confirmed.