Executive Summary

CVE-2026-5370 is a stored Cross-Site Scripting (XSS) vulnerability found in the Krayin CRM application, specifically affecting the Notes field in the Contacts → Persons module. This vulnerability allows authenticated users to insert malicious HTML, CSS, and JavaScript code into the Notes section of a Person record. Because the application does not properly sanitize or encode this input, the malicious code is stored and later executed in the browsers of other users who view the affected notes.

The root cause is insufficient input sanitization and unsafe dynamic HTML rendering using Vue.js directives like v-html and v-safe-html, which allowed arbitrary script execution. The vulnerability enables attackers to execute scripts in the context of other users, potentially leading to session hijacking or privilege escalation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in your browser when you view compromised notes in the CRM. Such scripts can steal session cookies, perform actions on your behalf, escalate privileges, or manipulate the CRM interface.

• Potential session hijacking leading to unauthorized access.
• Privilege escalation by executing scripts with your user permissions.
• Injection of malicious content that could affect other users viewing the notes.
• Disruption of normal CRM operations or data integrity through script execution.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to reproduce the stored Cross-Site Scripting (XSS) attack within the Krayin CRM application, specifically in the Contacts → Persons module's Notes field.

• Log in as any authenticated user.
• Navigate to Contacts → Persons.
• Create or open a Person record.
• Add a Note containing crafted HTML/JavaScript payload such as `<script>alert('XSS')</script>`.
• Save the note and refresh or view the record as another user.

If the script executes (e.g., an alert popup appears), the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The recommended immediate mitigation is to deploy the official patch that fixes the vulnerability by removing unsafe HTML rendering and ensuring proper escaping of user input.

• Apply the patch identified by commit 73ed28d466bf14787fdb86a120c656a4af270153.
• Ensure that all user input in the Notes and activity comments fields is sanitized and rendered as plain text rather than HTML.
• Avoid using Vue.js directives like `v-html` or `v-safe-html` for rendering user-generated content.

Additionally, monitor for any suspicious activity related to stored XSS attempts and restrict authenticated user permissions if possible until the patch is applied.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability CVE-2026-5370 is a stored Cross-Site Scripting (XSS) issue that allows malicious scripts to execute in the context of other users viewing the affected CRM application. This can lead to session hijacking, privilege escalation, or other attacks.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA because they may lead to unauthorized access or disclosure of personal or sensitive data. XSS vulnerabilities can be exploited to steal user credentials or session tokens, potentially resulting in data breaches.

Therefore, failure to address this vulnerability could result in non-compliance with data protection requirements that mandate appropriate security measures to protect personal data and prevent unauthorized access.

Useful 0 Not Useful 0