CVE-2026-8254
Deferred Deferred - Pending Action
Cross-Site Scripting in Devs Palace ERP Online

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: VulDB

Description
A security flaw has been discovered in Devs Palace ERP Online up to 4.0.0. Affected by this issue is some unknown functionality of the file /inventory/sales_save. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-20
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-8254
EUVD
EUVD-2026-29009
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
devs_palace erp_online to 4.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, immediate steps include restricting access to the affected /inventory/sales_save functionality in Devs Palace ERP Online up to version 4.0.0, especially from untrusted networks.

Since the vendor has not responded and no patch is available, it is advisable to implement web application firewalls (WAF) or input validation filters to block potential cross-site scripting payloads targeting this endpoint.

Additionally, monitor logs for suspicious requests to the /inventory/sales_save path and consider disabling or limiting the use of this functionality until a fix is provided.

Compliance Impact

The provided information does not specify how the cross site scripting vulnerability in Devs Palace ERP Online affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is a security flaw found in Devs Palace ERP Online up to version 4.0.0. It affects an unknown functionality within the file /inventory/sales_save. The flaw allows an attacker to perform a cross-site scripting (XSS) attack by manipulating this functionality. The attack can be launched remotely, and the exploit code has already been made public.

Impact Analysis

The vulnerability can allow an attacker to execute cross-site scripting attacks remotely. This means an attacker could inject malicious scripts into the affected application, potentially leading to unauthorized actions performed on behalf of legitimate users, session hijacking, or other malicious activities that compromise user security.

Detection Guidance

This vulnerability involves cross site scripting (XSS) in the /inventory/sales_save file of Devs Palace ERP Online up to version 4.0.0. Detection typically involves monitoring HTTP requests to this endpoint for suspicious input patterns that could trigger XSS.

You can detect attempts to exploit this vulnerability by inspecting web server logs or using network monitoring tools to look for suspicious payloads in requests to /inventory/sales_save.

Example commands to detect such attempts include:

  • Using grep on web server logs to find requests to the vulnerable endpoint with suspicious script tags or encoded payloads: grep -iE '(/inventory/sales_save).*(<script|%3Cscript)' /var/log/apache2/access.log
  • Using curl to test the endpoint manually with a simple XSS payload: curl -X POST -d 'param=<script>alert(1)</script>' https://yourserver/inventory/sales_save -v
  • Using intrusion detection systems (IDS) or web application firewalls (WAF) with rules to detect XSS payloads targeting /inventory/sales_save.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8254. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart