CVE-2026-8254
Cross-Site Scripting in Devs Palace ERP Online
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devs_palace | erp_online | to 4.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a security flaw found in Devs Palace ERP Online up to version 4.0.0. It affects an unknown functionality within the file /inventory/sales_save. The flaw allows an attacker to perform a cross-site scripting (XSS) attack by manipulating this functionality. The attack can be launched remotely, and the exploit code has already been made public.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediate steps include restricting access to the affected /inventory/sales_save functionality in Devs Palace ERP Online up to version 4.0.0, especially from untrusted networks.
Since the vendor has not responded and no patch is available, it is advisable to implement web application firewalls (WAF) or input validation filters to block potential cross-site scripting payloads targeting this endpoint.
Additionally, monitor logs for suspicious requests to the /inventory/sales_save path and consider disabling or limiting the use of this functionality until a fix is provided.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the cross site scripting vulnerability in Devs Palace ERP Online affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves cross site scripting (XSS) in the /inventory/sales_save file of Devs Palace ERP Online up to version 4.0.0. Detection typically involves monitoring HTTP requests to this endpoint for suspicious input patterns that could trigger XSS.
You can detect attempts to exploit this vulnerability by inspecting web server logs or using network monitoring tools to look for suspicious payloads in requests to /inventory/sales_save.
Example commands to detect such attempts include:
- Using grep on web server logs to find requests to the vulnerable endpoint with suspicious script tags or encoded payloads: grep -iE '(/inventory/sales_save).*(<script|%3Cscript)' /var/log/apache2/access.log
- Using curl to test the endpoint manually with a simple XSS payload: curl -X POST -d 'param=<script>alert(1)</script>' https://yourserver/inventory/sales_save -v
- Using intrusion detection systems (IDS) or web application firewalls (WAF) with rules to detect XSS payloads targeting /inventory/sales_save.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to execute cross-site scripting attacks remotely. This means an attacker could inject malicious scripts into the affected application, potentially leading to unauthorized actions performed on behalf of legitimate users, session hijacking, or other malicious activities that compromise user security.