Back to overview

CVE-2026-61460

HIGH Exploitation: PoC
8.8
CVSS 3.1
Description
Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CRM records and reassign ownership by exploiting missing record-level ownership validation in edit, update, and destroy methods.

Metadata

CVE ID
CVE-2026-61460
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-09 14:07 UTC
Published
2026-07-10 18:24 UTC
Last updated
2026-07-10 19:10 UTC
Primary CWE
CWE-639
Authorization Bypass Through User-Controlled Key
Vendor / Product
krayin / laravel-crm
Sources
cve.org  ·  NVD

Severity & Metrics

8.8 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
krayin laravel-crm 0 ≤ 2.2.3
Weakness (CWE)
CWESourceDescription
CWE-639 cna Authorization Bypass Through User-Controlled Key
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.8 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.7 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Back to overview