PatchSiren cyber security CVE debrief
CVE-2026-8220 Olografix CVE debrief
CVE-2026-8220 describes a remote cross-site scripting issue in Devs Palace ERP Online up to 4.0.0, affecting an unknown function under /inventory/customer-save. The source corpus says the exploit is public, which raises practical risk even though the listed CVSS score is low (1.9). The NVD record also maps the issue to CWE-79 and CWE-94, and the vector indicates network access with user interaction and high privileges required.
- Vendor
- Olografix
- Product
- Unknown
- CVSS
- LOW 1.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
ERP administrators, application owners, security teams, and anyone operating or exposing Devs Palace ERP Online instances—especially if users with elevated access can reach the affected inventory/customer-save workflow.
Technical summary
The supplied record describes an XSS condition in /inventory/customer-save. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) indicates a network-reachable issue that requires privileges and user interaction, with low integrity impact and no confidentiality or availability impact recorded in the source vector. The source metadata also lists CWE-79 and CWE-94, and includes a public proof-of-concept reference. Because the vendor attribution in the corpus is low confidence, the product and affected scope should be validated against authoritative vendor information if available.
Defensive priority
Moderate priority for any exposed deployment. The severity score is low, but the public exploit reference and web-facing nature of XSS make it worth prioritizing for internet-exposed or high-value ERP environments.
Recommended defensive actions
- Confirm whether Devs Palace ERP Online up to 4.0.0 is deployed anywhere in your environment.
- Review the /inventory/customer-save workflow for input handling and output encoding weaknesses.
- Apply vendor fixes or mitigations as soon as an authoritative patch or advisory is available.
- Restrict access to the affected function to the smallest feasible set of authenticated users.
- Monitor logs and application telemetry for unusual input patterns, script injection attempts, or suspicious inventory/customer-save activity.
- Consider compensating controls such as output encoding, server-side validation, and a web application firewall rule set tuned for XSS.
- If compromise is suspected, review session handling and user activity for unauthorized actions originating from the affected workflow.
Evidence notes
All facts here are taken from the supplied corpus. The CVE was published and modified on 2026-05-10T03:16:07.703Z. The NVD metadata supplied with the record lists the affected path /inventory/customer-save, the weaknesses CWE-79 and CWE-94, and a CVSS 4.0 vector consistent with network-reachable XSS requiring user interaction and privilege. The referenced sources also include a public PoC asset and VulDB records. The vendor attribution in the corpus is marked low confidence and should be treated as needing review.
Official resources
The corpus indicates public disclosure on 2026-05-10 and reports that a public exploit is available. It also states the vendor was contacted early but did not respond. Vendor attribution in the corpus is low confidence, so product and scope