What is the CVSS score of CVE-2026-33733?

CVE-2026-33733 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of EspoCRM are affected by CVE-2026-33733?

CVE-2026-33733 is a path traversal vulnerability in EspoCRM's admin template management that allows authenticated administrators to read, create, or delete arbitrary files on affected servers.. A patch is available.

Is there a public PoC exploit available for CVE-2026-33733?

Yes, a public proof-of-concept exploit is available for CVE-2026-33733. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-33733?

Within 24 hours: Identify all EspoCRM instances and document current versions. Within 7 days: Upgrade all instances to EspoCRM 9.3.4 or later; if immediate upgrade is not feasible, restrict admin template access to trusted personnel only and monitor admin activity logs. Within 30 days: Conduct post-patch validation and review admin account access controls to limit unnecessary elevated privileges.

EspoCRM CVE-2026-33733

EUVD-2026-25082 HIGH

Relative Path Traversal (CWE-23)

2026-04-22 GitHub_M

Information Disclosure Espocrm

7.2

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.2 HIGH

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

PoC Detected

Apr 27, 2026 - 15:08 vuln.today

Public exploit code

Patch released

Apr 27, 2026 - 15:08 nvd

Patch available

Re-analysis Queued

Apr 23, 2026 - 18:42 vuln.today

cvss_changed

Analysis Generated

Apr 23, 2026 - 06:54 vuln.today

Patch available

Apr 22, 2026 - 22:02 EUVD

EUVD ID Assigned

Apr 22, 2026 - 20:31 euvd

EUVD-2026-25082

Analysis Generated

Apr 22, 2026 - 20:31 vuln.today

CVE Published

Apr 22, 2026 - 20:05 nvd

HIGH 7.2

DescriptionGitHub Advisory

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled name and scope values and pass them into template path construction without normalization or traversal filtering. As a result, an authenticated admin can use ../ sequences to escape the intended template directory and read, create, overwrite, or delete arbitrary files that resolve to body.tpl or subject.tpl under the web application user's filesystem permissions. Version 9.3.4 fixes the issue.

AnalysisAI

Path traversal in EspoCRM admin template management allows authenticated administrators to read, create, overwrite, or delete arbitrary files on the server filesystem. The vulnerability affects all versions prior to 9.3.4 and stems from unsanitized name and scope parameters in template path construction. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Compromise admin credentials

Delivery

Authenticate to EspoCRM admin panel

Exploit

Navigate to template management endpoint

Execution

Inject path traversal sequences in name/scope parameters

Persist

Manipulate arbitrary filesystem files

Impact

Exfiltrate sensitive data or inject backdoor

Access

Compromise admin credentials

Delivery

Authenticate to EspoCRM admin panel

Exploit

Navigate to template management endpoint

Execution

Inject path traversal sequences in name/scope parameters

Persist

Manipulate arbitrary filesystem files

Impact

Exfiltrate sensitive data or inject backdoor

Vulnerability AssessmentAI

Exploitation	Exploitation requires authenticated administrative access to the EspoCRM installation - specifically, a user account with permissions to manage email templates through the admin panel. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Real-world risk is moderate despite the 7.2 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with compromised EspoCRM administrator credentials (obtained via phishing, credential stuffing, or supply-chain attack) logs into the admin panel and navigates to the template management interface. They craft a malicious template creation request with `name` set to `../../../../config` and `scope` manipulated to traverse to the application root, targeting `data/config.php` (EspoCRM's main configuration file). …
Remediation	Upgrade EspoCRM to version 9.3.4 or later, which contains vendor-released patches that implement proper path normalization and traversal filtering for template management endpoints. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all EspoCRM instances and document current versions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33733 vulnerability details – vuln.today

Back

EspoCRM CVE-2026-33733

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code