CVE-2026-8254
Cross-Site Scripting in Devs Palace ERP Online
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devs_palace | erp_online | to 4.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a security flaw found in Devs Palace ERP Online up to version 4.0.0. It affects an unknown functionality within the file /inventory/sales_save. The flaw allows an attacker to perform a cross-site scripting (XSS) attack by manipulating this functionality. The attack can be launched remotely, and the exploit code has already been made public.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to execute cross-site scripting attacks remotely. This means an attacker could inject malicious scripts into the affected application, potentially leading to unauthorized actions performed on behalf of legitimate users, session hijacking, or other malicious activities that compromise user security.