This document details an authenticated Remote Code Execution (RCE) vulnerability, identified as CVE-2026-38526, affecting Krayin CRM version 2.2.x. The exploit leverages an authenticated file upload mechanism, specifically through the TinyMCE editor's upload functionality, to allow an attacker to upload arbitrary malicious files.
The provided Python exploit script, developed by Diamorphine, demonstrates the full exploitation chain. It uses httpx for asynchronous HTTP requests and BeautifulSoup to parse HTML for CSRF tokens. The script automates the login process, retrieves the necessary _token and XSRF-TOKEN from the application, and then uploads a specified file (e.g., a PHP shell) to the /admin/tinymce/upload endpoint. Successful execution results in the file being hosted on the server, leading to RCE.
Top comments (0)