Insights
Security insights from Bytium operators
Brief updates from Bytium operators on the tactics we see, how we respond, and what your teams can ship today to stay ahead.
May 16, 2026•2 min read
Krayin CRM 2.2.0 - Authenticated Arbitrary File Upload to RCE
Krayin CRM 2.2.0 ships a TinyMCE media-upload endpoint that accepts any file extension and stores the result on a publicly served Laravel disk
advisory
May 16, 2026•2 min read
Krayin CRM 2.2.0 - Cross-User IDOR Across Lead, Contact, and Activity Controllers
Authenticated cross user idor vulnerability has been identified in Webkul's Krain CRM 2.2.0.
Advisory
Mar 30, 2025•2 min read
Stored XSS in Perfex CRM 3.2.1 Contracts Module
Stored XSS in Perfex CRM 3.2.1 project discussions allows authenticated clients to inject JavaScript that runs for other users.
security
advisory
Mar 30, 2025•2 min read
Stored Cross-Site Scripting in Perfex CRM 3.2.1 Project Discussions
Stored XSS in Perfex CRM 3.2.1 project discussions allows authenticated clients to inject JavaScript that runs for other users.
security
appsec
advisory
Sep 18, 2024•2 min read
Stored XSS Vulnerabilities in CRMGo SaaS 7.2
Two stored cross-site scripting (XSS) vulnerabilities were identified in CRMGo SaaS version 7.2
advisory
security
vulnerabilities