CVE-2026-8221
Cross-Site Scripting in Devs Palace ERP Online
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devs_palace | erp_online | to 4.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw found in Devs Palace ERP Online up to version 4.0.0, specifically in an unknown function within the file /inventory/item-save. It allows an attacker to perform a cross-site scripting (XSS) attack by manipulating this function.
The attack can be carried out remotely, meaning an attacker does not need physical access to the system to exploit it. The exploit has already been published and may be used by attackers.
The vendor was contacted early about this issue but did not respond.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute cross-site scripting (XSS) attacks remotely on your Devs Palace ERP Online system.
Such XSS attacks can lead to the injection of malicious scripts into web pages viewed by other users, potentially resulting in session hijacking, defacement, or redirection to malicious sites.
Because the exploit is published and can be used remotely, it increases the risk of compromise if the system is not patched or mitigated.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a cross site scripting (XSS) flaw in the /inventory/item-save function of Devs Palace ERP Online up to version 4.0.0. Detection can focus on monitoring HTTP requests targeting this endpoint for suspicious input patterns that may include script tags or other XSS payloads.
You can use web server logs or network traffic inspection tools to identify attempts to exploit this vulnerability by searching for requests to /inventory/item-save containing typical XSS attack vectors.
Example commands to detect potential exploitation attempts include:
- Using grep on web server logs to find suspicious requests: grep -iE '(/inventory/item-save).*(<script|javascript:|onerror=|onload=)' /var/log/apache2/access.log
- Using curl to test the endpoint with a simple XSS payload: curl -X POST -d 'item=<script>alert(1)</script>' https://your-erp-online-domain/inventory/item-save -v
- Using intrusion detection systems (IDS) or web application firewalls (WAF) with rules to detect XSS payloads targeting the /inventory/item-save path.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint /inventory/item-save to trusted users only, as the vulnerability requires high privileges (PR:H) and user interaction.
Implement input validation and sanitization on all inputs to the /inventory/item-save function to prevent malicious scripts from being processed.
If possible, apply web application firewall (WAF) rules to block common XSS attack patterns targeting this endpoint.
Monitor logs for exploitation attempts and consider temporarily disabling or restricting the affected functionality until a patch or official fix is available.
Since the vendor has not responded, consider isolating the affected system from untrusted networks to reduce exposure.