Share
## https://sploitus.com/exploit?id=AE6E269B-788E-520A-A4B6-9C5AC02A01E9
# CVE-2026-38526 | Krayin CRM v2.2.x Authenticated RCE - Unrestricted PHP File Upload via TinyMCE

## Description

CVE-2026-38526 is a critical authenticated remote code execution vulnerability 
affecting Webkul Krayin CRM v2.2.x. The vulnerability exists in the TinyMCE 
media upload endpoint `/admin/tinymce/upload`, which fails to validate uploaded 
file types. An authenticated attacker can upload a malicious PHP file and execute 
arbitrary commands on the server.

- **CVE:** CVE-2026-38526
- **CVSS Score:** 9.9 (Critical)
- **CWE:** CWE-434 - Unrestricted Upload of File with Dangerous Type
- **Affected Version:** Krayin Laravel CRM v2.2.x
- **Vendor:** Webkul

## Technical Details

The `/admin/tinymce/upload` endpoint accepts multipart file uploads for the 
TinyMCE rich text editor. The server performs no validation on the uploaded 
file type or extension, allowing an attacker to upload a PHP webshell. The 
uploaded file is stored in a web-accessible directory (`/storage/tinymce/`), 
meaning a subsequent GET request to the file path causes the PHP interpreter 
to execute the payload.

**Attack flow:**
1. Authenticate to Krayin CRM with any valid account
2. Upload a PHP webshell to `/admin/tinymce/upload` with spoofed `Content-Type: image/jpeg`
3. Server responds with the uploaded file's URL
4. GET request to the URL triggers code execution as `www-data`

## Requirements

- Python 3.x
- `requests` library (`pip install requests`)
- Valid credentials for the target Krayin CRM instance

## Usage

| Flag | Description |
|---|---|
| `-u` | Login email address |
| `-p` | Login password |
| `-c` | OS command to execute on the target |

```bash
git clone https://github.com/NathanHimself/CVE-2026-38526-PoC
cd CVE-2026-38526-PoC
python3 exploit.py -u  -p  -c 
```

## Disclaimer

This tool is for authorized penetration testing and educational purposes only. 
Do not use against systems you do not have explicit permission to test.
The author assumes no responsibility and shall not be held liable for any misuse, damage, or illegal activity arising from the use of this PoC.

## References

- https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38526](https://socradar.io/blog/cve-2026-38526-krayin-crm-rce/)
- https://nvd.nist.gov/vuln/detail/CVE-2026-38526