CVE-2026-8255 Overview
CVE-2026-8255 is a cross-site scripting (XSS) vulnerability in Devs Palace ERP Online versions up to 4.0.0. The flaw resides in the /inventory/add_new_customer endpoint, where unsanitized input is rendered back to the browser. An authenticated attacker can inject script payloads that execute in the context of other users who view the affected page. The vulnerability is tracked under CWE-79 and a public proof of concept is available through Olografix. The vendor was contacted prior to disclosure but did not respond.
Critical Impact
An authenticated attacker can inject persistent or reflected JavaScript through the customer creation form, enabling session theft, UI redress, or actions performed on behalf of other ERP users.
Affected Products
- Devs Palace ERP Online versions up to and including 4.0.0
- Affected endpoint: /inventory/add_new_customer
- No vendor patch is currently available
Discovery Timeline
- 2026-05-11 - CVE-2026-8255 published to the National Vulnerability Database
- 2026-05-11 - Last updated in NVD database
Technical Details for CVE-2026-8255
Vulnerability Analysis
The vulnerability is a stored or reflected cross-site scripting flaw in the customer creation workflow of Devs Palace ERP Online. The application accepts user-supplied input through the /inventory/add_new_customer handler and returns it to the browser without sufficient output encoding. When an authenticated user with form access submits crafted input, the malicious script is rendered as part of the response or persisted and replayed to subsequent viewers.
The attack vector is network-based and requires user interaction along with elevated privileges to access the customer management module. Successful exploitation impacts the integrity of the rendered page but does not directly compromise confidentiality or availability of the underlying server. A public proof-of-concept demonstrating the issue has been published.
Root Cause
The root cause is improper neutralization of input during web page generation, classified under CWE-79. Customer field values submitted to /inventory/add_new_customer are not HTML-encoded or filtered against script-bearing payloads before being echoed to the DOM. There is no apparent Content Security Policy enforcement to constrain inline script execution.
Attack Vector
An attacker with valid credentials to the ERP application navigates to the add new customer form and submits a payload containing JavaScript within a customer attribute. When the affected page is rendered, the browser parses and executes the injected script. Execution occurs in the security context of the victim's session, enabling cookie or token theft, forced administrative actions, or pivoting within the ERP interface. The Olografix proof of concept illustrates the exploitation sequence against the customer creation endpoint.
Detection Methods for CVE-2026-8255
Indicators of Compromise
- HTTP POST requests to /inventory/add_new_customer containing <script>, onerror=, onload=, or javascript: substrings in form parameters
- Customer records containing HTML tags, angle brackets, or encoded script fragments in name, address, or notes fields
- Outbound browser requests from ERP users to unfamiliar domains shortly after viewing the customer module
- Web server access logs showing repeated submissions to the customer endpoint from a single authenticated session
Detection Strategies
- Inspect web application firewall logs for XSS signatures targeting the /inventory/add_new_customer path
- Review the ERP database for customer entries containing markup characters such as <, >, ", or event handler attributes
- Correlate authentication events with anomalous customer creation activity from accounts that do not normally manage inventory
Monitoring Recommendations
- Enable verbose HTTP request logging on the ERP application server with full request body capture for the inventory module
- Alert on browser console errors or Content Security Policy violations originating from ERP user sessions
- Monitor session token usage across IP addresses to detect token theft consistent with successful XSS payload execution
How to Mitigate CVE-2026-8255
Immediate Actions Required
- Restrict access to the /inventory/add_new_customer endpoint to trusted administrators until a fix is available
- Deploy a web application firewall rule that blocks script tags and common XSS payload patterns submitted to the inventory endpoints
- Audit existing customer records and sanitize any entries containing HTML or JavaScript content
- Rotate session cookies and credentials for users who interacted with the customer module during the exposure window
Patch Information
No vendor patch has been released for CVE-2026-8255. The vendor did not respond to disclosure attempts. Organizations should monitor VulDB entry 362552 for updates and apply compensating controls in the interim.
Workarounds
- Implement a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins
- Apply server-side output encoding on all customer field values before rendering them in HTML responses
- Place the ERP application behind a reverse proxy that performs input validation and strips script-bearing parameters
- Reduce the number of accounts with permissions to the inventory and customer modules
# Example nginx rule to block obvious script payloads to the affected endpoint
location /inventory/add_new_customer {
if ($request_body ~* "(<script|onerror=|onload=|javascript:)") {
return 403;
}
proxy_pass http://erp_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
