Vulnerability Details CVE-2026-38530
A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 9.7%
CVSS Severity
CVSS v3 Score 8.1
References
Products affected by CVE-2026-38530
-
cpe:2.3:a:webkul:krayin_crm:2.2.0