Vulnerability intelligence

CVE-2026-38526

An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file.

CVSS Score

9.9

Critical

EPSS — Exploit Probability

0.0%

Riskier than 7% of all CVEs

Exploitation

Not in CISA KEV

No federal exploitation record

Remediation

unknown

Check vendor advisories

NVD entry PoC / advisory

1 article across 1 outlet · first covered Apr 21, 2026 · latest Apr 21, 2026

Coverage timeline

CVE-2026-38526: Critical RCE Bug in Krayin CRM TinyMCE Upload
socradar.io · Apr 21, 2026