CVE-2026-5370 is a cross-site scripting vulnerability discovered in krayin laravel-crm, specifically affecting versions 2.0 through 2.2. The vulnerability resides in the composeMail function of the Activities Module/Notes Module, located in the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts. This flaw allows an attacker to inject malicious JavaScript code that executes in the context of the victim's browser when interacting with the vulnerable component. The vulnerability is remotely exploitable without requiring authentication but does require some user interaction, such as clicking a crafted link or viewing a maliciously crafted email. The CVSS 4.0 base score is 5.1, reflecting medium severity due to the ease of exploitation (network vector, low attack complexity) but limited impact on confidentiality and integrity (partial impact on integrity and confidentiality, no impact on availability). The vulnerability does not require privileges but does require user interaction, and there is no scope change. The vulnerability has been patched in a commit identified by hash 73ed28d466bf14787fdb86a120c656a4af270153. Although no active exploitation in the wild has been reported, the exploit code is publicly available, increasing the likelihood of attacks. The vulnerability affects organizations using krayin laravel-crm for customer relationship management, particularly those relying on the Activities and Notes modules for mail composition features. Attackers could leverage this vulnerability to perform phishing, session hijacking, or deliver malware via injected scripts.

The primary impact of CVE-2026-5370 is the execution of arbitrary scripts in the context of the victim's browser, potentially compromising user session tokens, stealing sensitive information, or performing unauthorized actions on behalf of the user. This can lead to partial loss of confidentiality and integrity within affected web applications. Organizations using krayin laravel-crm versions 2.0 to 2.2 are at risk of targeted attacks that exploit this vulnerability to conduct phishing campaigns, spread malware, or escalate privileges through chained attacks. The vulnerability's remote exploitability and low complexity increase the risk of widespread exploitation, especially given the public availability of exploit code. While availability is not impacted, the reputational damage and potential data breaches resulting from successful exploitation can be significant. Enterprises relying on this CRM for customer data management, sales, and communication workflows may face operational disruptions and regulatory compliance issues if exploited.

To mitigate CVE-2026-5370, organizations should immediately apply the official patch identified by commit 73ed28d466bf14787fdb86a120c656a4af270153 to upgrade krayin laravel-crm to a fixed version beyond 2.2. In addition to patching, it is critical to implement strict input validation and output encoding on all user-supplied data within the composeMail function and related modules to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct thorough code reviews and security testing focusing on mail composition and note-taking features. Educate users to recognize phishing attempts and suspicious links that could trigger XSS payloads. Monitor web application logs and user activity for signs of exploitation attempts. If immediate patching is not feasible, consider temporarily disabling or restricting access to the affected Activities/Notes modules. Finally, maintain an incident response plan to quickly address any detected exploitation.