A persistent input validation web vulnerability has been discovered in the official VTiger v7.0 CRM web-application. The vulnerability allows remote attackers to inject malicious script codes to the application-side of the vulnerable module. The persistent vulnerability is located in the `To` parameter of the `Email` module. Remote attackers are able to inject own malicious script codes to the vulnerable `To` parameter. The attack vector of the vulnerability is persistent and the request method to inject is POST. The security risk of the persistent web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.8. Exploitation of the persistent input validation web vulnerability requires no privileged web-application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious sources and persistent manipulation of affected or connected module context.