Insights

Security insights from Bytium operators

Brief updates from Bytium operators on the tactics we see, how we respond, and what your teams can ship today to stay ahead.

All topics advisory Advisory announcements appsec Case study product security Security Assessment Technical vulnerabilities

Jun 2, 2026•2 min read

Leantime 3.8.0 Broken Access Control

Leantime is a popular open-source project-management app. Its front-end talks to a JSON-RPC API, and several of those API methods forgot to check *who* is calling them. We already covered how that lets any low-privilege user make themselves an administrator.

Advisory

May 16, 2026•2 min read

Krayin CRM 2.2.0 - Authenticated Arbitrary File Upload to RCE

Krayin CRM 2.2.0 ships a TinyMCE media-upload endpoint that accepts any file extension and stores the result on a publicly served Laravel disk

advisory

May 16, 2026•2 min read

Krayin CRM 2.2.0 - Cross-User IDOR Across Lead, Contact, and Activity Controllers

Authenticated cross user idor vulnerability has been identified in Webkul's Krain CRM 2.2.0.

Advisory

Apr 18, 2026•4 min read

Perfex CRM 3.4.1 Cross-Tenant IDOR Vulnerability

Advisory

Mar 30, 2025•2 min read

Stored XSS in Perfex CRM 3.2.1 Contracts Module

Stored XSS in Perfex CRM 3.2.1 project discussions allows authenticated clients to inject JavaScript that runs for other users.

security

advisory

Mar 30, 2025•2 min read

Stored Cross-Site Scripting in Perfex CRM 3.2.1 Project Discussions

Stored XSS in Perfex CRM 3.2.1 project discussions allows authenticated clients to inject JavaScript that runs for other users.

security

appsec

advisory

Sep 18, 2024•2 min read

Stored XSS Vulnerabilities in CRMGo SaaS 7.2

Two stored cross-site scripting (XSS) vulnerabilities were identified in CRMGo SaaS version 7.2

advisory

security

vulnerabilities