Krayin CRM SQL Injection: High-Severity Flaw Exposes Data

The National Vulnerability Database (NVD) recently highlighted a significant SQL injection vulnerability, tracked as CVE-2026-38528, affecting Krayin CRM versions 2.2.x. This flaw is located within the /Lead/LeadDataGrid.php component and can be triggered via the rotten_lead parameter. SQL injection vulnerabilities are a classic but ever-present danger, allowing attackers to manipulate database queries and potentially extract sensitive information, modify data, or even gain control over the database.

With a CVSS score of 7.1, this vulnerability is rated as HIGH severity. The vector, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N, indicates that it’s network-exploitable, low complexity, requires low privileges, no user interaction, and primarily impacts confidentiality (High), with some impact on integrity (Low) but no impact on availability. This means an attacker with minimal access could potentially dump sensitive CRM data, which is a big deal for any organization relying on Krayin CRM for lead and customer management.