CVE-2026-4165

Summary

A vulnerability has been found in Worksuite HR, CRM and Project Management up to 5.5.25. The affected element is an unknown function of the file /account/orders/create. The manipulation of the argument Client Note leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Affected Software

VendorProductVersion RangeStatus
WorksuiteHR, CRM and Project Management5.5.0affected
WorksuiteHR, CRM and Project Management5.5.1affected
WorksuiteHR, CRM and Project Management5.5.2affected
WorksuiteHR, CRM and Project Management5.5.3affected
WorksuiteHR, CRM and Project Management5.5.4affected
WorksuiteHR, CRM and Project Management5.5.5affected
WorksuiteHR, CRM and Project Management5.5.6affected
WorksuiteHR, CRM and Project Management5.5.7affected
WorksuiteHR, CRM and Project Management5.5.8affected
WorksuiteHR, CRM and Project Management5.5.9affected
WorksuiteHR, CRM and Project Management5.5.10affected
WorksuiteHR, CRM and Project Management5.5.11affected
WorksuiteHR, CRM and Project Management5.5.12affected
WorksuiteHR, CRM and Project Management5.5.13affected
WorksuiteHR, CRM and Project Management5.5.14affected
WorksuiteHR, CRM and Project Management5.5.15affected
WorksuiteHR, CRM and Project Management5.5.16affected
WorksuiteHR, CRM and Project Management5.5.17affected
WorksuiteHR, CRM and Project Management5.5.18affected
WorksuiteHR, CRM and Project Management5.5.19affected
WorksuiteHR, CRM and Project Management5.5.20affected
WorksuiteHR, CRM and Project Management5.5.21affected
WorksuiteHR, CRM and Project Management5.5.22affected
WorksuiteHR, CRM and Project Management5.5.23affected
WorksuiteHR, CRM and Project Management5.5.24affected
WorksuiteHR, CRM and Project Management5.5.25affected

Weaknesses

  • CWE-79: Cross Site Scripting
  • CWE-94: Code Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References