PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8219 Olografix CVE debrief

CVE-2026-8219 was published on 2026-05-10 and describes a cross-site scripting issue affecting Devs Palace ERP Online up to 4.0.0, specifically in an unknown function of /inventory/supplier-save. The record indicates remote exploitation is possible and that a public proof-of-concept reference exists. Although the CVSS score is low (1.9), the NVD vector shows the attack requires high privileges and user interaction, which lowers the overall score but does not eliminate operational risk for exposed ERP environments.

Vendor
Olografix
Product
Unknown
CVSS
LOW 1.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-10
Original CVE updated
2026-05-10
Advisory published
2026-05-10
Advisory updated
2026-05-10

Who should care

Administrators, application owners, and security teams responsible for Devs Palace ERP Online deployments up to 4.0.0 should review this issue. It is most relevant where privileged users can access the affected supplier-save workflow and where browser-based sessions could be impacted by injected content.

Technical summary

The source corpus identifies the weakness as cross-site scripting and also lists CWE-79 and CWE-94. NVD’s CVSS v4.0 vector indicates network attackability, low attack complexity, no attack requirements, high privileges required, and passive user interaction. The affected component is described as an unknown function under /inventory/supplier-save. The record also includes a public PoC reference in the source metadata, but the supplied corpus does not include exploit details, so no further technical reproduction guidance is provided.

Defensive priority

Moderate. The CVSS score is low, but the combination of remote reachability, privilege requirements, browser interaction, and public disclosure makes validation and remediation worthwhile for any live ERP instance.

Recommended defensive actions

  • Confirm whether Devs Palace ERP Online up to 4.0.0 is deployed in your environment.
  • Inventory access to the /inventory/supplier-save path and identify which privileged roles can reach it.
  • Apply the vendor’s fixed release or a compensating control as soon as a patch is available.
  • If no patch is available, restrict access to the affected ERP function to trusted administrative networks and users only.
  • Review server-side input handling and output encoding around supplier-save and related inventory workflows.
  • Monitor browser-side and application logs for unexpected script-bearing input or anomalous session behavior.
  • Treat any public PoC references as a signal to accelerate validation, but do not attempt weaponized reproduction.

Evidence notes

All claims are limited to the supplied source corpus and official CVE/NVD records. The CVE description states Devs Palace ERP Online up to 4.0.0 is affected, the vulnerable area is /inventory/supplier-save, remote exploitation is possible, and the exploit has been publicly disclosed. NVD lists CVSS 1.9 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N and weaknesses CWE-79 and CWE-94. Vendor attribution in the supplied metadata is low confidence and needs review.

Official resources

Publicly disclosed. The supplied description says the vendor was contacted early but did not respond, and the source metadata includes a public proof-of-concept reference.