Share
## https://sploitus.com/exploit?id=5722F76E-28F8-5034-8BBF-486D5CB2DCF2
# Security Advisories โ€” trexnegr0

Public disclosure repository for independently discovered vulnerabilities in open-source web applications.  
All CVEs were assigned by the MITRE CVE Assignment Team following coordinated disclosure.

---

## Researcher

| Field | Value |
|---|---|
| **Discoverer** | Jeremy Erazo (trexnegr0) |
| **Disclosure Policy** | Responsible / coordinated disclosure via MITRE CVE Program |

---

## CVE Index

### Grocery Store Management System

| CVE ID | Type | Severity | Product |
|---|---|---|---|
| [CVE-2025-63939](./CVE-2025-63939/) | SQL Injection | High | anirudhkannanvp/GROCERY-STORE-MANAGEMENT-SYSTEM 1.0 |

### Hotel Management PHP

| CVE ID | Type | Severity | Product |
|---|---|---|---|
| [CVE-2025-65132](./CVE-2025-65132/) | Reflected XSS | High | alandsilva26/hotel-management-php 1.0 |

### School Management System (manikandan580)

| CVE ID | Type | Severity | Product |
|---|---|---|---|
| [CVE-2025-65133](./CVE-2025-65133/) | SQL Injection | High | manikandan580/School-management-system 1.0 |
| [CVE-2025-65134](./CVE-2025-65134/) | Reflected XSS | High | manikandan580/School-management-system 1.0 |
| [CVE-2025-65135](./CVE-2025-65135/) | Blind SQL Injection | Critical (9.8) | manikandan580/School-management-system 1.0 |
| [CVE-2025-65136](./CVE-2025-65136/) | Reflected XSS | High | manikandan580/School-management-system 1.0 |

### Krayin CRM (Webkul)

| CVE ID | Type | Severity | Product |
|---|---|---|---|
| [CVE-2026-38526](./CVE-2026-38526/) | RCE via File Upload | Critical (9.9) | Krayin CRM 2.2.x |
| [CVE-2026-38527](./CVE-2026-38527/) | SSRF | High (8.6) | Krayin CRM 2.2.x |
| [CVE-2026-38528](./CVE-2026-38528/) | SQL Injection | High (7.5) | Krayin CRM 2.2.x |
| [CVE-2026-38529](./CVE-2026-38529/) | BOLA / Account Takeover | High (8.8) | Krayin CRM 2.2.x |
| [CVE-2026-38530](./CVE-2026-38530/) | BOLA | High (8.1) | Krayin CRM 2.2.x |
| [CVE-2026-38531](./CVE-2026-38531/) | BOLA | High (8.1) | Krayin CRM 2.2.x |
| [CVE-2026-38532](./CVE-2026-38532/) | BOLA | High (8.1) | Krayin CRM 2.2.x |

### Snipe-IT

| CVE ID | Type | Severity | Product |
|---|---|---|---|
| [CVE-2026-38533](./CVE-2026-38533/) | Improper Authorization / Privilege Escalation | High | Snipe-IT 8.4.0 |

---

## Research Summary

This repository covers **14 CVEs** across **4 different open-source projects**:

- **SQL Injection** (3): Boolean-based and time-based blind injection vectors in PHP applications without parameterized queries.
- **Cross-Site Scripting** (3): Reflected XSS in both GET parameters and POST bodies on admin-facing interfaces.
- **Remote Code Execution** (1): Unrestricted PHP file upload via TinyMCE editor endpoint in a Laravel CRM.
- **Server-Side Request Forgery** (1): Internal network scanning via webhook automation endpoint.
- **Broken Object-Level Authorization / BOLA** (4): Missing ownership checks on CRM objects (leads, activities, contacts, users) enabling cross-account data access and modification.
- **Improper Authorization** (2): Privilege escalation and account takeover via misconfigured authorization gates in a user management API.

All vulnerabilities were discovered through manual code review and dynamic testing on local instances of the affected software. No production systems were harmed during research.

---

## Disclosure

All vulnerabilities were reported to MITRE following responsible disclosure practices.  
CVE IDs were assigned by the MITRE CVE Assignment Team.

---

## License

These advisories are published for educational and defensive purposes.  
No complete weaponized exploit code is included.