Executive Summary

CVE-2026-38528 is a SQL injection vulnerability found in Krayin CRM version 2.2.x. It occurs through the 'rotten_lead' parameter used in the Leads DataGrid endpoint (/Lead/LeadDataGrid.php). The vulnerability arises because this parameter is directly inserted into a Laravel havingRaw() SQL query without proper sanitization or parameter binding.

This improper handling allows an authenticated user with low privileges to inject arbitrary SQL code remotely. The injected SQL can be used to extract sensitive information from the database, such as CRM records, customer data, and credentials.

The root cause is the use of Laravel's havingRaw() method with unsanitized user input, enabling attacks like UNION SELECT statements. The vulnerability requires authentication but only low privileges.

Useful 0 Not Useful 0

Compliance Impact

The SQL injection vulnerability in Krayin CRM v2.2.x allows an authenticated attacker with low privileges to extract sensitive database information, including CRM records, customer data, and credentials. This high confidentiality risk could lead to unauthorized access and exposure of personal and sensitive data.

Such unauthorized data exposure can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.

Therefore, this vulnerability poses a significant risk to maintaining compliance with these regulations due to potential data confidentiality violations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a significant impact on confidentiality by allowing attackers to perform full database enumeration. Sensitive data such as CRM records, customer information, and credentials can be exposed.

The integrity impact is low because the vulnerability mainly allows reading data rather than modifying it. There is no direct impact on system availability.

An attacker needs to be authenticated with low privileges, but once exploited, they can remotely extract sensitive information, potentially leading to data breaches and privacy violations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the 'rotten_lead' parameter at the /Lead/LeadDataGrid.php endpoint for SQL injection. Since the vulnerability involves unsanitized input in a Laravel havingRaw() query, an authenticated user with low privileges can attempt to inject SQL code.

Suggested detection commands include sending HTTP requests with crafted payloads to the 'rotten_lead' parameter to observe if SQL injection is possible. For example, using curl or similar tools to send requests with SQL injection payloads such as UNION SELECT statements.

• curl -X GET 'http://<target>/Lead/LeadDataGrid.php?rotten_lead=1 UNION SELECT 1,2,3--'
• Use authenticated session cookies or tokens as required since authentication is needed.

Monitoring network traffic for unusual SQL queries or error messages related to the 'rotten_lead' parameter may also help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Use Laravel's parameterized query bindings instead of raw SQL interpolation for the 'rotten_lead' parameter, e.g., havingRaw('column IN (?)', [$sanitizedInput]).
• Validate the 'rotten_lead' input against an allowlist of acceptable values, such as boolean flags like 0 or 1.
• Apply least-privilege principles to the database user by removing FILE, SUPER, or DROP privileges.
• Suppress SQL error messages in production environments to avoid information leakage.

Useful 0 Not Useful 0