PatchSiren cyber security CVE debrief
CVE-2026-8221 Olografix CVE debrief
CVE-2026-8221 is a remote cross-site scripting issue reported in Devs Palace ERP Online up to 4.0.0, affecting the /inventory/item-save path. The NVD record also cites public proof-of-concept references, so affected organizations should treat the issue as publicly documented even though the scored impact is low.
- Vendor
- Olografix
- Product
- Unknown
- CVSS
- LOW 1.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
Administrators and security teams running Devs Palace ERP Online 4.0.0 or earlier, especially where privileged users interact with inventory-saving workflows or where the application is reachable by remote users.
Technical summary
The supplied NVD data describes an XSS flaw in an unknown function associated with /inventory/item-save. The CVSS v4 vector indicates network reachability, low attack complexity, required user interaction, and high privileges, with integrity impact only. NVD also lists CWE-79 and CWE-94 as weakness classifications.
Defensive priority
Low severity, but verify exposure and plan remediation promptly because the issue is public and includes a referenced proof-of-concept.
Recommended defensive actions
- Confirm whether any Devs Palace ERP Online instances are running version 4.0.0 or earlier.
- Apply the vendor fix or upgrade path as soon as one is available; if no patch exists, restrict access to the affected inventory workflow and the /inventory/item-save endpoint.
- Review server-side input handling and output encoding for the affected path, with particular attention to privileged or authenticated fields.
- Inspect application and access logs for unusual inventory-save activity or signs of XSS abuse from trusted sessions.
- Treat the public proof-of-concept references as a reason to accelerate remediation and tighten account/session controls.
Evidence notes
The source corpus shows CVE-2026-8221 was published and modified on 2026-05-10. The NVD description states that the issue affects an unknown function in /inventory/item-save, can be exploited remotely, and that a public exploit has been published; it also says the vendor was contacted early but did not respond. The CVSS v4 vector in the source indicates AV:N, AC:L, PR:H, UI:P, and low integrity impact only. Weaknesses listed in the source are CWE-79 and CWE-94. The vendor field in the supplied data is low confidence, so the product/version and affected path are the most reliable identifiers.
Official resources
Published in the supplied NVD record on 2026-05-10. The source description states that the vendor was contacted early and did not respond, and that a public exploit reference exists.