CVE-2026-38526 in Krayin CRM Enables RCE

CVE-2026-38526 is a critical (CVSS 9.9) authenticated arbitrary file upload vulnerability in Webkul Krayin CRM (v2.2.x) that allows low-privilege authenticated users to upload PHP payloads through the TinyMCE admin media upload endpoint and achieve remote code execution; a public PoC and exploit-sharing have been observed, so internet-exposed or widely accessible admin panels should be treated as high priority. Mitigations include disabling PHP execution in upload directories, storing uploads outside the web root, restricting the upload endpoint to trusted roles and networks, and monitoring for suspicious upload and GET activity.