Executive Summary

CVE-2026-38526 is an authenticated arbitrary file upload vulnerability in Webkul Krayin CRM version 2.2.x. It exists in the /admin/tinymce/upload endpoint, which fails to properly validate the type of files being uploaded.

Because the system does not check MIME types or file extensions against an allowlist, and stores uploaded files in a web-accessible directory with executable permissions, an attacker with low-privilege authenticated access can upload a malicious PHP file.

This uploaded PHP file can then be accessed via HTTP GET requests to execute arbitrary code on the server, leading to Remote Code Execution (RCE).

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to achieve full confidentiality, integrity, and availability compromise of the affected system, including exfiltration of the CRM database containing all customer records.

Such a compromise can lead to unauthorized access and disclosure of sensitive personal data, which directly impacts compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and health information.

The ability to execute arbitrary code and potentially move laterally within the internal network increases the risk of widespread data breaches, making it difficult to maintain regulatory compliance.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including full compromise of the server hosting the CRM application.

• Confidentiality: An attacker can read all files accessible to the web server, potentially exposing sensitive data.
• Integrity: The attacker can modify or delete any file accessible to the web server.
• Availability: The attacker can disrupt server processes, potentially causing denial of service.

Additionally, exploitation can lead to lateral movement within the internal network and exfiltration of the CRM database containing all customer records.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of uploaded PHP files in the web-accessible directories, especially those uploaded via the /admin/tinymce/upload endpoint.

You can look for suspicious PHP files that may have been uploaded by authenticated users with low privileges.

Suggested commands include searching the web root for recently added or modified PHP files and checking web server logs for POST requests to /admin/tinymce/upload followed by GET requests to execute uploaded files.

• Find recently uploaded PHP files in the web root: `find /var/www/html -type f -name '*.php' -mtime -7`
• Check web server access logs for POST requests to the upload endpoint: `grep '/admin/tinymce/upload' /var/log/apache2/access.log` (or nginx logs)
• Look for GET requests to suspicious PHP files that might indicate execution of uploaded payloads: `grep '.php' /var/log/apache2/access.log | grep 'GET'`

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing strict allowlists for MIME types and file extensions to only allow safe image formats such as jpg, png, gif, and webp.

Deny all server-executable file types from being uploaded.

Store uploaded files outside the web root directory and serve them through a controller that sets proper Content-Type headers.

Rename uploaded files to random UUIDs with safe extensions to prevent direct access.

Disable PHP execution in the upload directories by configuring the web server, for example using `php_flag engine off` in .htaccess for Apache or disabling PHP in nginx location blocks.

Audit user roles that have access to the upload endpoint and restrict this access to administrators only if possible.

Useful 0 Not Useful 0