What is the CVSS score of CVE-2026-33656?

CVE-2026-33656 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of EspoCRM are affected by CVE-2026-33656?

CVE-2026-33656 is a critical path traversal vulnerability in EspoCRM's formula scripting engine that enables authenticated administrators to read and write arbitrary files on the web server,…. A patch is available.

Is there a public PoC exploit available for CVE-2026-33656?

Yes, a public proof-of-concept exploit is available for CVE-2026-33656. Prioritise patching immediately. EPSS: 0.1%.

EspoCRM CVE-2026-33656

EUVD-2026-25081 CRITICAL

Path Traversal (CWE-22)

2026-04-22 GitHub_M

Path Traversal

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

PoC Detected

Apr 27, 2026 - 17:04 vuln.today

Public exploit code

Patch released

Apr 27, 2026 - 17:04 nvd

Patch available

Re-analysis Queued

Apr 23, 2026 - 16:12 vuln.today

cvss_changed

Analysis Generated

Apr 23, 2026 - 06:45 vuln.today

Patch available

Apr 22, 2026 - 22:02 EUVD

EUVD ID Assigned

Apr 22, 2026 - 20:31 euvd

EUVD-2026-25081

Analysis Generated

Apr 22, 2026 - 20:31 vuln.today

CVE Published

Apr 22, 2026 - 20:01 nvd

CRITICAL 9.1

DescriptionNVD

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the sourceId field on Attachment entities. Because sourceId is concatenated directly into a file path with no sanitization in EspoUploadDir::getFilePath(), an attacker can redirect any file read or write operation to an arbitrary path within the web server's open_basedir scope. Version 9.3.4 fixes the issue.

AnalysisAI

Path traversal in EspoCRM's formula scripting engine allows authenticated administrators to achieve arbitrary file read/write on the web server by manipulating attachment sourceId fields. The vulnerability chains unsanitized user input with filesystem operations, enabling admins to overwrite or access files anywhere within PHP's open_basedir restriction. …

RemediationAI

Within 24 hours: Identify all EspoCRM instances in use and verify current versions; restrict administrative access to formula scripting features where possible and audit recent admin activities for suspicious file operations. Within 7 days: Apply vendor-released patch version 9.3.4 to all EspoCRM deployments; conduct post-patch testing in non-production environments first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-33656 vulnerability details – vuln.today

Back

EspoCRM CVE-2026-33656

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code