Executive Summary

CVE-2026-36340 is a critical Remote Code Execution (RCE) vulnerability in Krayin CRM version 2.1.5 that allows an authenticated attacker to upload arbitrary PHP files via the compose email function.

These uploaded files are stored in a publicly accessible directory without proper validation, enabling attackers to execute malicious PHP code by accessing the file URL.

The root cause is insufficient validation of file extensions and MIME types, and lack of restrictions against executable files in the email attachment upload process.

This vulnerability was fixed in Krayin CRM version 2.1.6 by implementing proper validation and restrictions.

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability can lead to full server compromise.

• Execution of arbitrary commands on the server.
• Deployment of web shells for persistent access.
• Manipulation or deletion of files on the server.
• Unauthorized access to the database.
• Potential pivoting into internal networks, increasing the scope of the attack.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of uploaded PHP files in the email storage directories that should not normally contain executable files.

Specifically, look for .php files in the /public/storage/emails/ directory structure, which indicates possible exploitation via the email composition feature.

You can use commands like the following on the server hosting Krayin CRM to find suspicious files:

• find /path/to/krayin/public/storage/emails/ -name "*.php"
• grep -r --include="*.php" "<?php" /path/to/krayin/public/storage/emails/

Additionally, monitoring HTTP POST requests to the endpoint /admin/mail/create for unusual file uploads or large numbers of requests can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Krayin CRM to version 2.1.6, where this vulnerability has been fixed.

Until the upgrade can be applied, implement the following measures:

• Restrict file extensions allowed for upload, blocking executable files such as .php.
• Validate MIME types server-side to ensure only legitimate file types are accepted.
• Store uploaded files outside of web-accessible directories to prevent direct execution.
• Configure the web server to block execution of uploaded files in the storage directories.
• Apply strict input validation on the email composition and attachment upload features.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Krayin CRM v2.1.5 allows remote attackers to execute arbitrary code by uploading malicious PHP files via the email composition feature. This can lead to full server compromise, including unauthorized access to files and databases.

Such a compromise could result in unauthorized access to sensitive personal data stored within the CRM, potentially violating data protection regulations like GDPR and HIPAA that require safeguarding personal and health information.

Failure to patch this vulnerability and prevent unauthorized access could lead to non-compliance with these standards due to inadequate protection of sensitive data and insufficient security controls.

Useful 0 Not Useful 0