Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later serve those SVG files as top-level inline documents through both the attachment and image entry points, resulting in stored cross-user XSS reachable through a normal attachment workflow. Although inline SVG script is blocked by the response CSP, the same CSP still allows same-origin external script. As a result, an attacker can upload a malicious SVG together with a second attacker-controlled JavaScript attachment, then trick another user into opening the SVG to execute JavaScript in the victim's EspoCRM origin. This issue has been fixed in version 9.3.4.
AnalysisAI
Stored cross-site scripting in EspoCRM 9.3.3 and below enables an authenticated attacker to execute arbitrary JavaScript in the browser session of any user who opens a crafted SVG attachment. The attack exploits EspoCRM's inline SVG serving behavior combined with a CSP misconfiguration that blocks inline scripts but permits same-origin external scripts - allowing a separately uploaded attacker-controlled JavaScript file (also hosted on the same EspoCRM origin) to be loaded and executed. A public exploit exists per the vendor's own GitHub security advisory; no CISA KEV listing has been identified at time of analysis.
Technical ContextAI
EspoCRM (CPE: cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:*) fails to sanitize SVG uploads before serving them as top-level inline documents via both the attachment and image entry points. SVG is an XML-based format that natively supports embedded script elements, making it a well-known XSS vector when served with content types that permit script execution. The root cause class is CWE-79 (Improper Neutralization of Input During Web Page Generation). Critically, the deployed Content Security Policy blocks inline SVG script execution but retains a same-origin script-src allowance; because EspoCRM also serves attacker-uploaded JavaScript files from the same origin, an attacker can chain a malicious SVG with a second JavaScript attachment to bypass the inline-script restriction entirely. The vulnerability spans both the attachment and image entry points, broadening the reachable attack surface within normal user workflows.
RemediationAI
Upgrade EspoCRM to version 9.3.4, which is confirmed as the vendor-released fix per the GitHub security advisory at https://github.com/espocrm/espocrm/security/advisories/GHSA-5wh5-ccv2-m3pv. If an immediate upgrade is not feasible, administrators should consider restricting SVG file uploads at the application or web server layer - for example, by adding SVG to the list of blocked attachment MIME types or file extensions in EspoCRM's administration settings; this removes the attack vector entirely but may impact legitimate use of SVG assets. A secondary compensating control is to configure the web server to serve all attachments with a Content-Disposition: attachment header, which forces file download rather than inline rendering and breaks the XSS chain; however, this must be applied carefully as it may disrupt image preview functionality across the application. Tightening the CSP to remove same-origin script-src allowances would also neutralize the CSP bypass component of this attack chain, but may break legitimate EspoCRM functionality and requires testing. Patching to 9.3.4 remains the only fully confirmed and side-effect-free resolution.
Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary local
Path traversal in EspoCRM's formula scripting engine allows authenticated administrators to achieve arbitrary file read/
EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any ext
EspoCRM 5.6.4 is vulnerable to user password hash enumeration. Rated high severity (CVSS 8.8), this vulnerability is rem
Authorization bypass in EspoCRM 5.8.5 lets an authenticated low-privilege user reuse or manipulate Basic-Authorization a
CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating
Path traversal in EspoCRM admin template management allows authenticated administrators to read, create, overwrite, or d
EspoCRM's POST /api/v1/EmailTemplate/:id/prepare endpoint exposes an IDOR-class ACL bypass (CWE-639) allowing authentica
EspoCRM is an Open Source CRM (Customer Relationship Management) software. Rated medium severity (CVSS 6.5), this vulner
Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s brow
EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. Rated m
EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the api/v1/Document
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30967