CVE-2026-7782

CodeCanyon Perfex CRM Tenant Clients.php project authorization

CVSS 5.3 MEDIUMEPSS 0.2%CWE-285 CWE-639

Vexday Risk Score

33Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 5.3EPSS 0.2%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

04 May 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

A vulnerability was detected in CodeCanyon Perfex CRM up to 3.4.1. This affects the function Clients::project of the file application/controllers/Clients.php of the component Tenant Handler. The manipulation of the argument ID results in authorization bypass. The attack may be performed from remote. The exploit is now public and may be used.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Affected products

CodeCanyon · Perfex CRM

public PoCs found — 1

cve_referencebytium.com/insights/perfex-crm-3-4-1-cross-tenant-broken-access-control-on-project-discussion-commentsunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://bytium.com/insights/perfex-crm-3-4-1-cross-tenant-broken-access-control-on-project-discussion-comments https://vuldb.com/submit/807683 https://vuldb.com/vuln/360979 https://vuldb.com/vuln/360979/cti