## https://sploitus.com/exploit?id=5722F76E-28F8-5034-8BBF-486D5CB2DCF2
# Security Advisories โ trexnegr0
Public disclosure repository for independently discovered vulnerabilities in open-source web applications.
All CVEs were assigned by the MITRE CVE Assignment Team following coordinated disclosure.
---
## Researcher
| Field | Value |
|---|---|
| **Discoverer** | Jeremy Erazo (trexnegr0) |
| **Disclosure Policy** | Responsible / coordinated disclosure via MITRE CVE Program |
---
## CVE Index
### Grocery Store Management System
| CVE ID | Type | Severity | Product |
|---|---|---|---|
| [CVE-2025-63939](./CVE-2025-63939/) | SQL Injection | High | anirudhkannanvp/GROCERY-STORE-MANAGEMENT-SYSTEM 1.0 |
### Hotel Management PHP
| CVE ID | Type | Severity | Product |
|---|---|---|---|
| [CVE-2025-65132](./CVE-2025-65132/) | Reflected XSS | High | alandsilva26/hotel-management-php 1.0 |
### School Management System (manikandan580)
| CVE ID | Type | Severity | Product |
|---|---|---|---|
| [CVE-2025-65133](./CVE-2025-65133/) | SQL Injection | High | manikandan580/School-management-system 1.0 |
| [CVE-2025-65134](./CVE-2025-65134/) | Reflected XSS | High | manikandan580/School-management-system 1.0 |
| [CVE-2025-65135](./CVE-2025-65135/) | Blind SQL Injection | Critical (9.8) | manikandan580/School-management-system 1.0 |
| [CVE-2025-65136](./CVE-2025-65136/) | Reflected XSS | High | manikandan580/School-management-system 1.0 |
### Krayin CRM (Webkul)
| CVE ID | Type | Severity | Product |
|---|---|---|---|
| [CVE-2026-38526](./CVE-2026-38526/) | RCE via File Upload | Critical (9.9) | Krayin CRM 2.2.x |
| [CVE-2026-38527](./CVE-2026-38527/) | SSRF | High (8.6) | Krayin CRM 2.2.x |
| [CVE-2026-38528](./CVE-2026-38528/) | SQL Injection | High (7.5) | Krayin CRM 2.2.x |
| [CVE-2026-38529](./CVE-2026-38529/) | BOLA / Account Takeover | High (8.8) | Krayin CRM 2.2.x |
| [CVE-2026-38530](./CVE-2026-38530/) | BOLA | High (8.1) | Krayin CRM 2.2.x |
| [CVE-2026-38531](./CVE-2026-38531/) | BOLA | High (8.1) | Krayin CRM 2.2.x |
| [CVE-2026-38532](./CVE-2026-38532/) | BOLA | High (8.1) | Krayin CRM 2.2.x |
### Snipe-IT
| CVE ID | Type | Severity | Product |
|---|---|---|---|
| [CVE-2026-38533](./CVE-2026-38533/) | Improper Authorization / Privilege Escalation | High | Snipe-IT 8.4.0 |
---
## Research Summary
This repository covers **14 CVEs** across **4 different open-source projects**:
- **SQL Injection** (3): Boolean-based and time-based blind injection vectors in PHP applications without parameterized queries.
- **Cross-Site Scripting** (3): Reflected XSS in both GET parameters and POST bodies on admin-facing interfaces.
- **Remote Code Execution** (1): Unrestricted PHP file upload via TinyMCE editor endpoint in a Laravel CRM.
- **Server-Side Request Forgery** (1): Internal network scanning via webhook automation endpoint.
- **Broken Object-Level Authorization / BOLA** (4): Missing ownership checks on CRM objects (leads, activities, contacts, users) enabling cross-account data access and modification.
- **Improper Authorization** (2): Privilege escalation and account takeover via misconfigured authorization gates in a user management API.
All vulnerabilities were discovered through manual code review and dynamic testing on local instances of the affected software. No production systems were harmed during research.
---
## Disclosure
All vulnerabilities were reported to MITRE following responsible disclosure practices.
CVE IDs were assigned by the MITRE CVE Assignment Team.
---
## License
These advisories are published for educational and defensive purposes.
No complete weaponized exploit code is included.