CVE-2026-36340
Arbitrary Code Execution in Krayin CRM
Publication date: 2026-04-30
Last updated on: 2026-04-30
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| krayin | crm | 2.1.5 |
| krayin | crm | 2.1.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-36340 is a critical Remote Code Execution (RCE) vulnerability in Krayin CRM version 2.1.5 that allows an authenticated attacker to upload arbitrary PHP files via the compose email function.
These uploaded files are stored in a publicly accessible directory without proper validation, enabling attackers to execute malicious PHP code by accessing the file URL.
The root cause is insufficient validation of file extensions and MIME types, and lack of restrictions against executable files in the email attachment upload process.
This vulnerability was fixed in Krayin CRM version 2.1.6 by implementing proper validation and restrictions.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to full server compromise.
- Execution of arbitrary commands on the server.
- Deployment of web shells for persistent access.
- Manipulation or deletion of files on the server.
- Unauthorized access to the database.
- Potential pivoting into internal networks, increasing the scope of the attack.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of uploaded PHP files in the email storage directories that should not normally contain executable files.
Specifically, look for .php files in the /public/storage/emails/ directory structure, which indicates possible exploitation via the email composition feature.
You can use commands like the following on the server hosting Krayin CRM to find suspicious files:
- find /path/to/krayin/public/storage/emails/ -name "*.php"
- grep -r --include="*.php" "<?php" /path/to/krayin/public/storage/emails/
Additionally, monitoring HTTP POST requests to the endpoint /admin/mail/create for unusual file uploads or large numbers of requests can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Krayin CRM to version 2.1.6, where this vulnerability has been fixed.
Until the upgrade can be applied, implement the following measures:
- Restrict file extensions allowed for upload, blocking executable files such as .php.
- Validate MIME types server-side to ensure only legitimate file types are accepted.
- Store uploaded files outside of web-accessible directories to prevent direct execution.
- Configure the web server to block execution of uploaded files in the storage directories.
- Apply strict input validation on the email composition and attachment upload features.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Krayin CRM v2.1.5 allows remote attackers to execute arbitrary code by uploading malicious PHP files via the email composition feature. This can lead to full server compromise, including unauthorized access to files and databases.
Such a compromise could result in unauthorized access to sensitive personal data stored within the CRM, potentially violating data protection regulations like GDPR and HIPAA that require safeguarding personal and health information.
Failure to patch this vulnerability and prevent unauthorized access could lead to non-compliance with these standards due to inadequate protection of sensitive data and insufficient security controls.