Zero Day MonitorZDM

← Back to list

8.8

CVE-2026-38529EXPLOITED

n/a · n/a

CVE-2026-38529: A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allo

Description

A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.

Affected Products

Vendor	Product	Versions
n/a	n/a	n/a

References

Related News (1 articles)

Tier C

VulDB6h ago

CVE-2026-38529 | Krayin CRM 2.2.x HTTP UserController.php improper authentication

→ No new info (linked only)

CVSS 3.18.8 HIGH

VectorCVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:U/UI:N

CISA KEV❌ No

Actively exploited✅ Yes

PublishedApr 14, 2026

Last enriched6h agov2

Tags

improper authentication

Trending Score50

Source articles1

Independent1

Info Completeness7/14

Missing: epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2025-65135EXP

CVE-2025-65135: In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin

HIGHCVE-2026-38530EXP

CVE-2026-38530: A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.

MEDIUMCVE-2025-65136EXP

CVE-2025-65136: In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php v

MEDIUMCVE-2025-65132EXP

CVE-2025-65132: alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting (XSS) in /public/admin/edit_room.php which a

CRITICALCVE-2025-61260EXP

CVE-2025-61260: A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 14, 2026

Discovered by ZDM

Apr 14, 2026

Updated: severity, activelyExploited, tags

Apr 14, 2026

Actively Exploited

Apr 14, 2026

Version History

v2

Last enriched 6h ago

v2Tier C6h ago

Updated severity to CRITICAL, marked as actively exploited, and added tag for improper authentication.

severityactivelyExploitedtags

via VulDB

v16h ago

Initial creation