{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6651", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-20T05:55:13.524Z", "datePublished": "2026-04-20T14:45:11.560Z", "dateUpdated": "2026-04-20T15:21:57.084Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T14:45:11.560Z"}, "title": "erponline.xyz ERP Online Inventory Edit Item cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "erponline.xyz", "product": "ERP Online", "versions": [{"version": "4.0", "status": "affected"}], "modules": ["Inventory Edit Item Page"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in erponline.xyz ERP Online up to 4.0.0. This vulnerability affects unknown code of the component Inventory Edit Item Page. The manipulation of the argument Item Name results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-20T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-20T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-20T09:31:35.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Andrea Intilangelo", "type": "finder"}, {"lang": "en", "value": "acme (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "acme (VulDB User)", "type": "analyst"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358285", "name": "VDB-358285 | erponline.xyz ERP Online Inventory Edit Item cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358285/cti", "name": "VDB-358285 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/793806", "name": "Submit #793806 | Devs Palace ERP Online 4.0.0 Code Injection", "tags": ["third-party-advisory"]}, {"url": "https://olografix.org/acme/ERP_Online-POC.gif", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T15:21:51.346945Z", "id": "CVE-2026-6651", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:21:57.084Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6651", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T15:21:51.346945Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:21:53.487Z"}}], "cna": {"title": "erponline.xyz ERP Online Inventory Edit Item cross site scripting", "credits": [{"lang": "en", "type": "finder", "value": "Andrea Intilangelo"}, {"lang": "en", "type": "reporter", "value": "acme (VulDB User)"}, {"lang": "en", "type": "analyst", "value": "acme (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "erponline.xyz", "modules": ["Inventory Edit Item Page"], "product": "ERP Online", "versions": [{"status": "affected", "version": "4.0"}]}], "timeline": [{"lang": "en", "time": "2026-04-20T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-20T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-20T09:31:35.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/358285", "name": "VDB-358285 | erponline.xyz ERP Online Inventory Edit Item cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358285/cti", "name": "VDB-358285 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/793806", "name": "Submit #793806 | Devs Palace ERP Online 4.0.0 Code Injection", "tags": ["third-party-advisory"]}, {"url": "https://olografix.org/acme/ERP_Online-POC.gif", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in erponline.xyz ERP Online up to 4.0.0. This vulnerability affects unknown code of the component Inventory Edit Item Page. The manipulation of the argument Item Name results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T14:45:11.560Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6651", "state": "PUBLISHED", "dateUpdated": "2026-04-20T15:21:57.084Z", "dateReserved": "2026-04-20T05:55:13.524Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-20T14:45:11.560Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in erponline.xyz ERP Online up to 4.0.0. This vulnerability affects unknown code of the component Inventory Edit Item Page. The manipulation of the argument Item Name results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6651", "lastModified": "2026-04-20T16:16:55.810", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-20T16:16:55.810", "references": [{"source": "cna@vuldb.com", "url": "https://olografix.org/acme/ERP_Online-POC.gif"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/793806"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358285"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358285/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T16:28:46.520322+00:00", "value": {"mitigation_remediation": ["Apply an official patch or update to the latest ER Online release once a vendor fix becomes available and monitor vendor announcements", "Sanitize and encode the \"Item Name\" input before rendering it in the page; implement output encoding to prevent injection of script tags", "Restrict the allowable characters in the \"Item Name\" field or remove the field from unauthenticated edit pages", "Deploy a web application firewall or use built\u2011in security controls to detect and block suspicious script payloads"], "summary": {"action": "Monitor", "impact": "Cross\u2011Site Scripting (remote, reflected)"}, "threat_synthesis": {"affected_systems": "The flaw exists in all releases of erponline.xyz ERP Online up to and including version 4.0.0. The specific component affected is the code handling the Inventory Edit Item Page. No later versions were listed in the provided data.", "description_and_impact": "A reflected cross\u2011site scripting flaw was identified in the Inventory Edit Item Page of erponline.xyz ERP Online, exploitable via manipulation of the \"Item Name\" field. The vulnerability allows an attacker to inject arbitrary client\u2011side scripts into a victim\u2019s browser session. An attacker can use the publicly available exploit, and the vulnerability can be triggered remotely through the web interface.", "risk_and_exploitability": "The CVSS score of 4.8 indicates a moderate impact; the EPSS score is not available, so the exact exploitation likelihood cannot be quantified. The vulnerability is not listed in CISA KEV, but the vendor\u2019s lack of response and the public release of exploit code increase the urgency. An attacker only needs to send a crafted web request to a victim with access to the edit form; no local privilege escalation or authentication bypass is required by the information provided."}}}}, "created": "2026-04-20T16:30:06.279147+00:00", "updated": "2026-04-20T16:30:06.279167+00:00", "vendors": []}