Stored XSS on Notes field allows unsafe HTML/CSS/JS content to be stored and rendered in Contacts → Persons module

[Dineshrajansv]

Recording.2026-01-08.013957.mp4

Bug report

Title

JNotes field allows unsafe HTML/CSS/JS content to be stored and rendered in Contacts → Persons module.

Issue Description

User-supplied input entered in the Notes section of the Contacts → Persons module is stored persistently and rendered when the record is viewed by other users. Crafted HTML, CSS, and JavaScript markup is accepted and displayed, indicating inconsistent or insufficient context-aware output encoding. This behavior results in unsafe rendering of user-controlled content across user roles, including administrators.

Preconditions

**

1. Framework Version: Krayin CRM v2.1.6

2. Commit ID: Not specified (latest release at time of testing)

3. Environment:

     OS: Linux / Windows (local setup)
     PHP: 8.1+ 
     Browser: Chrome / Firefox**
   

Steps to reproduce

1. Log in to Krayin CRM as any authenticated user.
2. Navigate to Contacts → Persons.
3. Create or open an existing Person record.
   4 .Go to the Notes section and click Add Note.
4. Insert crafted HTML/JS content into the Note (example payload used during testing).
   6 . Save the note.
5. Refresh the page or view the same record as another user (including admin).

Expected result

**
User input in the Notes field should be safely handled.

HTML/JavaScript markup should be properly sanitized or contextually escaped.

Unsafe user-controlled content should not be rendered in the UI.**

payload


































test

LOL LOL<style>*{/*all*/color/*all*/:/*all*/red/*all*/;/[0]*IE,Safari*[0]/color:green;color:bl/*IE*/ue;}</style> <script>({0:#0=alert/#0#/#0#(0)})</script>

Actual result

**

User-controlled input is stored persistently in the database.

Stored content is rendered when Notes are viewed.

HTML and CSS markup are displayed as part of the Notes view.

Output encoding appears inconsistent, allowing unsafe markup to be rendered across users.**

• [points....]

Recording.2026-01-08.013957.mp4

[sagarkumar-webkul]

Thanks for raising this issue. We appreciate you bringing it to our attention.
vidoe link -https://webkul.chatwhizz.com/share/view-recording/6965d407101c3706b2dc792b

[Dineshrajansv]

Thank you for reviewing and testing the reported behavior.

Since this issue allows persistent execution of user-supplied JavaScript across users
(including administrators), it appears to meet the criteria for a Stored Cross-Site
Scripting vulnerability (CWE-79).

Could you please confirm:

1. Whether this will be treated as a security vulnerability, and
2. If there are any plans to assign or request a CVE after the fix or advisory?

I’m happy to coordinate responsible disclosure and provide any additional details if required.

[sagarkumar-webkul]

@Dineshrajansv
We are treating it as a security matter and will prioritize a fix. Once the fix we will evaluate whether a CVE assignment is appropriate, following our responsible disclosure process.

[Dineshrajansv]

@sagarkumar-webkul Thank you for the confirmation and for prioritizing the fix.
I appreciate you treating this as a security matter. I’m happy to coordinate and provide any further details or testing support if needed as part of the responsible disclosure process.

[Dineshrajansv]

Hi @sagarkumar-webkul ,

I hope you're doing well.

I wanted to follow up regarding the Stored XSS vulnerability reported earlier.
Could you please share any updates on the fix timeline or current status?

Please let me know if I can assist with retesting once a patch is available.

Thank you again for your time and support.

Best regards,
Dinesh Rajan S V