Skip to main content

EspoCRM CVE-2026-33741

| EUVDEUVD-2026-30967 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-19 GitHub_M
6.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.8 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
May 19, 2026 - 19:02 EUVD
Analysis Generated
May 19, 2026 - 19:01 vuln.today

DescriptionGitHub Advisory

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later serve those SVG files as top-level inline documents through both the attachment and image entry points, resulting in stored cross-user XSS reachable through a normal attachment workflow. Although inline SVG script is blocked by the response CSP, the same CSP still allows same-origin external script. As a result, an attacker can upload a malicious SVG together with a second attacker-controlled JavaScript attachment, then trick another user into opening the SVG to execute JavaScript in the victim's EspoCRM origin. This issue has been fixed in version 9.3.4.

AnalysisAI

Stored cross-site scripting in EspoCRM 9.3.3 and below enables an authenticated attacker to execute arbitrary JavaScript in the browser session of any user who opens a crafted SVG attachment. The attack exploits EspoCRM's inline SVG serving behavior combined with a CSP misconfiguration that blocks inline scripts but permits same-origin external scripts - allowing a separately uploaded attacker-controlled JavaScript file (also hosted on the same EspoCRM origin) to be loaded and executed. A public exploit exists per the vendor's own GitHub security advisory; no CISA KEV listing has been identified at time of analysis.

Technical ContextAI

EspoCRM (CPE: cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:*) fails to sanitize SVG uploads before serving them as top-level inline documents via both the attachment and image entry points. SVG is an XML-based format that natively supports embedded script elements, making it a well-known XSS vector when served with content types that permit script execution. The root cause class is CWE-79 (Improper Neutralization of Input During Web Page Generation). Critically, the deployed Content Security Policy blocks inline SVG script execution but retains a same-origin script-src allowance; because EspoCRM also serves attacker-uploaded JavaScript files from the same origin, an attacker can chain a malicious SVG with a second JavaScript attachment to bypass the inline-script restriction entirely. The vulnerability spans both the attachment and image entry points, broadening the reachable attack surface within normal user workflows.

RemediationAI

Upgrade EspoCRM to version 9.3.4, which is confirmed as the vendor-released fix per the GitHub security advisory at https://github.com/espocrm/espocrm/security/advisories/GHSA-5wh5-ccv2-m3pv. If an immediate upgrade is not feasible, administrators should consider restricting SVG file uploads at the application or web server layer - for example, by adding SVG to the list of blocked attachment MIME types or file extensions in EspoCRM's administration settings; this removes the attack vector entirely but may impact legitimate use of SVG assets. A secondary compensating control is to configure the web server to serve all attachments with a Content-Disposition: attachment header, which forces file download rather than inline rendering and breaks the XSS chain; however, this must be applied carefully as it may disrupt image preview functionality across the application. Tightening the CSP to remove same-origin script-src allowances would also neutralize the CSP bypass component of this attack chain, but may break legitimate EspoCRM functionality and requires testing. Patching to 9.3.4 remains the only fully confirmed and side-effect-free resolution.

CVE-2014-7985 CRITICAL POC
10.0 Oct 31

Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary local

CVE-2026-33656 CRITICAL POC
9.1 Apr 22

Path traversal in EspoCRM's formula scripting engine allows authenticated administrators to achieve arbitrary file read/

CVE-2022-38843 HIGH POC
8.8 Sep 16

EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any ext

CVE-2019-14351 HIGH POC
8.8 Jul 28

EspoCRM 5.6.4 is vulnerable to user password hash enumeration. Rated high severity (CVSS 8.8), this vulnerability is rem

CVE-2020-37094 HIGH POC
8.6 Feb 03

Authorization bypass in EspoCRM 5.8.5 lets an authenticated low-privilege user reuse or manipulate Basic-Authorization a

CVE-2022-38844 HIGH POC
8.0 Sep 16

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating

CVE-2026-33733 HIGH POC
7.2 Apr 22

Path traversal in EspoCRM admin template management allows authenticated administrators to read, create, overwrite, or d

CVE-2026-41141 MEDIUM POC
6.5 May 28

EspoCRM's POST /api/v1/EmailTemplate/:id/prepare endpoint exposes an IDOR-class ACL bypass (CWE-639) allowing authentica

CVE-2023-46736 MEDIUM POC
6.5 Dec 05

EspoCRM is an Open Source CRM (Customer Relationship Management) software. Rated medium severity (CVSS 6.5), this vulner

CVE-2022-38845 MEDIUM POC
6.1 Sep 16

Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s brow

CVE-2019-14350 MEDIUM POC
6.1 Jul 28

EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. Rated m

CVE-2019-14349 MEDIUM POC
6.1 Jul 28

EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the api/v1/Document

Share

CVE-2026-33741 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy