## https://sploitus.com/exploit?id=AE6E269B-788E-520A-A4B6-9C5AC02A01E9
# CVE-2026-38526 | Krayin CRM v2.2.x Authenticated RCE - Unrestricted PHP File Upload via TinyMCE
## Description
CVE-2026-38526 is a critical authenticated remote code execution vulnerability
affecting Webkul Krayin CRM v2.2.x. The vulnerability exists in the TinyMCE
media upload endpoint `/admin/tinymce/upload`, which fails to validate uploaded
file types. An authenticated attacker can upload a malicious PHP file and execute
arbitrary commands on the server.
- **CVE:** CVE-2026-38526
- **CVSS Score:** 9.9 (Critical)
- **CWE:** CWE-434 - Unrestricted Upload of File with Dangerous Type
- **Affected Version:** Krayin Laravel CRM v2.2.x
- **Vendor:** Webkul
## Technical Details
The `/admin/tinymce/upload` endpoint accepts multipart file uploads for the
TinyMCE rich text editor. The server performs no validation on the uploaded
file type or extension, allowing an attacker to upload a PHP webshell. The
uploaded file is stored in a web-accessible directory (`/storage/tinymce/`),
meaning a subsequent GET request to the file path causes the PHP interpreter
to execute the payload.
**Attack flow:**
1. Authenticate to Krayin CRM with any valid account
2. Upload a PHP webshell to `/admin/tinymce/upload` with spoofed `Content-Type: image/jpeg`
3. Server responds with the uploaded file's URL
4. GET request to the URL triggers code execution as `www-data`
## Requirements
- Python 3.x
- `requests` library (`pip install requests`)
- Valid credentials for the target Krayin CRM instance
## Usage
| Flag | Description |
|---|---|
| `-u` | Login email address |
| `-p` | Login password |
| `-c` | OS command to execute on the target |
```bash
git clone https://github.com/NathanHimself/CVE-2026-38526-PoC
cd CVE-2026-38526-PoC
python3 exploit.py -u -p -c
```
## Disclaimer
This tool is for authorized penetration testing and educational purposes only.
Do not use against systems you do not have explicit permission to test.
The author assumes no responsibility and shall not be held liable for any misuse, damage, or illegal activity arising from the use of this PoC.
## References
- https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38526](https://socradar.io/blog/cve-2026-38526-krayin-crm-rce/)
- https://nvd.nist.gov/vuln/detail/CVE-2026-38526