A vulnerability was found in Devs Palace ERP Online up to 4.0.0 . It has been declared as problematic . Affected by this issue is some unknown functionality of the file /inventory/sales_save . The manipulation results in cross site scripting. This vulnerability is known as CVE-2026-8254 . It is possible to launch the attack remotely. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.