Skip to main content

EspoCRM CVE-2026-33656

| EUVDEUVD-2026-25081 CRITICAL
Path Traversal (CWE-22)
2026-04-22 GitHub_M
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
PoC Detected
Apr 27, 2026 - 17:04 vuln.today
Public exploit code
Patch released
Apr 27, 2026 - 17:04 nvd
Patch available
Re-analysis Queued
Apr 23, 2026 - 16:12 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 06:45 vuln.today
Patch available
Apr 22, 2026 - 22:02 EUVD
EUVD ID Assigned
Apr 22, 2026 - 20:31 euvd
EUVD-2026-25081
Analysis Generated
Apr 22, 2026 - 20:31 vuln.today
CVE Published
Apr 22, 2026 - 20:01 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the sourceId field on Attachment entities. Because sourceId is concatenated directly into a file path with no sanitization in EspoUploadDir::getFilePath(), an attacker can redirect any file read or write operation to an arbitrary path within the web server's open_basedir scope. Version 9.3.4 fixes the issue.

AnalysisAI

Path traversal in EspoCRM's formula scripting engine allows authenticated administrators to achieve arbitrary file read/write on the web server by manipulating attachment sourceId fields. The vulnerability chains unsanitized user input with filesystem operations, enabling admins to overwrite or access files anywhere within PHP's open_basedir restriction. Publicly available exploit code exists. Vendor-released patch version 9.3.4 addresses this critical issue. Despite the 9.1 CVSS score and Changed scope indicating potential container escape or cross-tenant impact, EPSS data was not provided to assess real-world exploitation likelihood.

Technical ContextAI

EspoCRM implements a built-in formula scripting engine for business logic automation. The vulnerability exists in the attachment handling subsystem where the getFilePath() method in EspoUploadDir directly concatenates user-controlled sourceId values into filesystem paths without validation or sanitization. This is a classic CWE-22 path traversal vulnerability where an attacker can inject directory traversal sequences like '../' to escape intended directory boundaries. The CVSS vector shows Changed Scope (S:C), indicating the vulnerability can affect resources beyond its security scope - in this context, the formula engine's trust boundary is violated to access the broader filesystem. The attack requires high privileges (PR:H) as administrative access to EspoCRM is necessary to manipulate Attachment entities through the formula interface, but once authenticated the attack has low complexity (AC:L) with no user interaction required.

RemediationAI

Upgrade EspoCRM to version 9.3.4 or later, which implements input sanitization in the getFilePath() method to prevent path traversal attacks on sourceId fields. The vendor advisory at https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54x contains upgrade instructions and patch details. If immediate patching is not feasible, implement compensating controls: restrict administrative access through multi-factor authentication and principle of least privilege to minimize insider threat surface; configure PHP open_basedir directives as restrictively as possible to limit filesystem access scope even if traversal succeeds; enable comprehensive file integrity monitoring on the web server to detect unauthorized modifications to application files or configuration; audit formula scripts created by administrators for suspicious file path manipulation patterns. Note that access restrictions only reduce attack surface - they do not eliminate the vulnerability, and determined attackers with legitimate admin credentials can still exploit the flaw. Deploy the vendor patch as the only complete remediation.

CVE-2014-7985 CRITICAL POC
10.0 Oct 31

Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary local

CVE-2022-38843 HIGH POC
8.8 Sep 16

EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any ext

CVE-2019-14351 HIGH POC
8.8 Jul 28

EspoCRM 5.6.4 is vulnerable to user password hash enumeration. Rated high severity (CVSS 8.8), this vulnerability is rem

CVE-2020-37094 HIGH POC
8.6 Feb 03

Authorization bypass in EspoCRM 5.8.5 lets an authenticated low-privilege user reuse or manipulate Basic-Authorization a

CVE-2022-38844 HIGH POC
8.0 Sep 16

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating

CVE-2026-33733 HIGH POC
7.2 Apr 22

Path traversal in EspoCRM admin template management allows authenticated administrators to read, create, overwrite, or d

CVE-2026-33741 MEDIUM POC
6.8 May 19

Stored cross-site scripting in EspoCRM 9.3.3 and below enables an authenticated attacker to execute arbitrary JavaScript

CVE-2026-41141 MEDIUM POC
6.5 May 28

EspoCRM's POST /api/v1/EmailTemplate/:id/prepare endpoint exposes an IDOR-class ACL bypass (CWE-639) allowing authentica

CVE-2023-46736 MEDIUM POC
6.5 Dec 05

EspoCRM is an Open Source CRM (Customer Relationship Management) software. Rated medium severity (CVSS 6.5), this vulner

CVE-2022-38845 MEDIUM POC
6.1 Sep 16

Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s brow

CVE-2019-14350 MEDIUM POC
6.1 Jul 28

EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. Rated m

CVE-2019-14349 MEDIUM POC
6.1 Jul 28

EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the api/v1/Document

Share

CVE-2026-33656 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy