Skip to main content

Espocrm

40 CVEs product

Monthly

CVE-2026-41141 MEDIUM POC PATCH This Month

EspoCRM's POST /api/v1/EmailTemplate/:id/prepare endpoint exposes an IDOR-class ACL bypass (CWE-639) allowing authenticated low-privileged users to exfiltrate all field values from arbitrary Contact, Lead, Account, or User records prior to version 9.3.5. By supplying a target entity's email address as an attacker-controlled lookup key, the endpoint resolves and returns the full record without enforcing read:own or read:team ACL restrictions. A publicly available proof-of-concept exists; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV listing absent), but the low attack complexity and public POC meaningfully elevate real-world risk.

Authentication Bypass Espocrm
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-33741 MEDIUM POC PATCH This Month

Stored cross-site scripting in EspoCRM 9.3.3 and below enables an authenticated attacker to execute arbitrary JavaScript in the browser session of any user who opens a crafted SVG attachment. The attack exploits EspoCRM's inline SVG serving behavior combined with a CSP misconfiguration that blocks inline scripts but permits same-origin external scripts - allowing a separately uploaded attacker-controlled JavaScript file (also hosted on the same EspoCRM origin) to be loaded and executed. A public exploit exists per the vendor's own GitHub security advisory; no CISA KEV listing has been identified at time of analysis.

XSS Espocrm
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-33733 HIGH POC PATCH This Week

Path traversal in EspoCRM admin template management allows authenticated administrators to read, create, overwrite, or delete arbitrary files on the server filesystem. The vulnerability affects all versions prior to 9.3.4 and stems from unsanitized `name` and `scope` parameters in template path construction. Publicly available exploit code exists (GitHub security advisory GHSA-44c3-xjfp-3jrh), though no CISA KEV listing or confirmed active exploitation. CVSS 7.2 reflects high impact across confidentiality, integrity, and availability, but exploitation requires high-privilege (admin) access, significantly limiting real-world exposure to insider threats or compromised admin credentials.

Information Disclosure Espocrm
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-33656 CRITICAL POC PATCH Act Now

Path traversal in EspoCRM's formula scripting engine allows authenticated administrators to achieve arbitrary file read/write on the web server by manipulating attachment sourceId fields. The vulnerability chains unsanitized user input with filesystem operations, enabling admins to overwrite or access files anywhere within PHP's open_basedir restriction. Publicly available exploit code exists. Vendor-released patch version 9.3.4 addresses this critical issue. Despite the 9.1 CVSS score and Changed scope indicating potential container escape or cross-tenant impact, EPSS data was not provided to assess real-world exploitation likelihood.

Path Traversal Espocrm
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-33740 MEDIUM POC PATCH This Month

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly from the repository without verifying that the current user has authorization to access it. Any authenticated user with Email:create and Import permissions can exploit this to read another user's .eml attachment contents by importing them as a new email into the attacker's mailbox, while the original victim attachment record is deleted as a side effect of the import flow. This is inconsistent with the standard attachment download path, which enforces ACL checks before returning file data, and is practically exploitable because attachment IDs are commonly exposed in normal UI and API workflows such as stream payloads and download links. This issue is fixed in version 9.3.4.

Authentication Bypass Espocrm
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33659 LOW POC PATCH Monitor

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual HTTP request resolves hostnames through curl's internal resolver (gethostbyname()), allowing the two lookups to return different IP addresses for the same hostname. A secondary issue exists where an empty DNS result (due to DNS failure, IPv6-only domains, or non-existent hostnames) causes the validation to implicitly allow the host without further checks. An authenticated attacker with default attachment creation access can exploit this gap to bypass internal IP restrictions and scan internal network ports, confirm the existence of internal hosts, and interact with internal HTTP-based services, though data extraction from binary protocol services and remote code execution are not possible through this endpoint. This issue has been fixed in version 9.3.4.

RCE SSRF Espocrm
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-33657 MEDIUM POC PATCH This Month

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes. The vulnerability exists because server-side Handlebars templates render the post field using unescaped triple-brace syntax, the Markdown processor preserves inline HTML by default, and the rendering pipeline explicitly skips sanitization for fields present in additionalData, creating a path where attacker-controlled HTML is accepted, stored, and rendered directly into emails without any escaping. Since the emails are sent using the system's configured SMTP identity (such as an administrative sender address), the injected content appears fully trusted to recipients, enabling phishing attacks, user tracking via embedded resources like image beacons, and UI manipulation within email content. The @mention feature further increases the impact by allowing targeted delivery of malicious emails to specific users. This issue has been fixed in version 9.3.4.

XSS Espocrm
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-33534 MEDIUM POC PATCH This Month

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as octal notation (e.g., 0177.0.0.1 instead of 127.0.0.1). This is caused by HostCheck::isNotInternalHost() function relying on PHP's filter_var(..., FILTER_VALIDATE_IP), which does not recognize alternative IP formats, causing the validation to fall through to a DNS lookup that returns no records and incorrectly treats the host as safe, however the cURL subsequently normalizes the address and connects to the loopback destination. Through the confirmed /api/v1/Attachment/fromImageUrl endpoint, an authenticated user can force the server to make requests to loopback-only services and store the fetched response as an attachment. This vulnerability is distinct from CVE-2023-46736 (which involved redirect-based SSRF) and may allow access to internal resources reachable from the application runtime. This issue has been fixed in version 9.3.4.

SSRF Espocrm
NVD GitHub Exploit-DB VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2020-37094 HIGH POC This Week

Authorization bypass in EspoCRM 5.8.5 lets an authenticated low-privilege user reuse or manipulate Basic-Authorization and Espo-Authorization tokens to authenticate as a different user, including administrators, and inherit their privileges. The flaw stems from the login path never binding an auth token to its owning user, so a token valid for one account is accepted for another when passwords collide, also defeating two-factor authentication. Publicly available exploit code exists (Exploit-DB 48376); EPSS is low at 0.35%, and the issue is not listed in CISA KEV.

Authentication Bypass Espocrm
NVD Exploit-DB GitHub VulDB
CVSS 4.0
8.6
EPSS
0.4%
CVE-2025-52892 MEDIUM POC PATCH Monitor

EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Request Smuggling Information Disclosure Espocrm
NVD GitHub
CVSS 3.1
4.5
EPSS
0.0%
CVE-2025-32390 HIGH POC PATCH This Month

EspoCRM is a free, open-source customer relationship management platform. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection Espocrm
NVD GitHub
CVSS 4.0
7.0
EPSS
0.3%
CVE-2025-32789 LOW POC PATCH Monitor

EspoCRM is an Open Source Customer Relationship Management software. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. Public exploit code available.

Information Disclosure Espocrm
NVD GitHub
CVSS 3.1
3.1
EPSS
0.2%
CVE-2025-32385 MEDIUM POC This Month

EspoCRM is an Open Source Customer Relationship Management software. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

XSS Espocrm
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2024-24818 MEDIUM POC PATCH This Month

EspoCRM is an Open Source Customer Relationship Management software. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required. Public exploit code available.

Code Injection Espocrm
NVD GitHub
CVSS 3.1
5.9
EPSS
0.6%
CVE-2023-46736 MEDIUM POC PATCH This Month

EspoCRM is an Open Source CRM (Customer Relationship Management) software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Espocrm
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-5966 MEDIUM This Month

An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload PHP RCE Espocrm
NVD
CVSS 3.1
4.7
EPSS
0.9%
CVE-2023-5965 MEDIUM This Month

An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload PHP RCE Espocrm
NVD
CVSS 3.1
4.7
EPSS
0.9%
CVE-2022-38846 MEDIUM POC This Month

EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Espocrm
NVD
CVSS 3.1
5.9
EPSS
0.4%
CVE-2022-38845 MEDIUM POC This Month

Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Espocrm
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2022-38844 HIGH POC This Week

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Espocrm
NVD
CVSS 3.1
8.0
EPSS
1.1%
CVE-2022-38843 HIGH POC This Week

EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any extension to the server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Espocrm
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2021-3539 MEDIUM This Month

EspoCRM 6.1.6 and prior suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Espocrm
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2019-14550 MEDIUM POC PATCH This Month

An issue was discovered in EspoCRM before 5.6.9. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Espocrm
NVD GitHub
CVSS 3.0
5.4
EPSS
1.1%
CVE-2019-14549 MEDIUM POC PATCH This Month

An issue was discovered in EspoCRM before 5.6.9. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Espocrm
NVD GitHub
CVSS 3.0
5.4
EPSS
1.1%
CVE-2019-14548 MEDIUM POC PATCH This Month

An issue was discovered in EspoCRM before 5.6.9. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Espocrm
NVD GitHub
CVSS 3.0
5.4
EPSS
1.1%
CVE-2019-14547 MEDIUM POC PATCH This Month

An issue was discovered in EspoCRM before 5.6.9. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Espocrm
NVD GitHub
CVSS 3.0
5.4
EPSS
1.1%
CVE-2019-14546 MEDIUM POC PATCH This Month

An issue was discovered in EspoCRM before 5.6.9. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Espocrm
NVD GitHub
CVSS 3.0
5.4
EPSS
1.1%
CVE-2019-14351 HIGH POC This Week

EspoCRM 5.6.4 is vulnerable to user password hash enumeration. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Espocrm
NVD GitHub
CVSS 3.0
8.8
EPSS
1.3%
CVE-2019-14350 MEDIUM POC This Month

EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Espocrm
NVD GitHub
CVSS 3.0
6.1
EPSS
0.9%
CVE-2019-14349 MEDIUM POC This Month

EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the api/v1/Document functionality for storing documents in the account tab. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Espocrm
NVD GitHub
CVSS 3.0
6.1
EPSS
0.9%
CVE-2019-14331 MEDIUM POC PATCH This Month

An issue was discovered in EspoCRM before 5.6.6. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Espocrm
NVD GitHub
CVSS 3.0
6.1
EPSS
1.3%
CVE-2019-14330 MEDIUM POC PATCH This Month

An issue was discovered in EspoCRM before 5.6.6. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Espocrm
NVD GitHub
CVSS 3.0
6.1
EPSS
1.3%
CVE-2019-14329 MEDIUM POC PATCH This Month

An issue was discovered in EspoCRM before 5.6.6. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Espocrm
NVD GitHub
CVSS 3.0
6.1
EPSS
1.3%
CVE-2019-13643 MEDIUM POC This Month

Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Espocrm
NVD GitHub
CVSS 3.0
6.1
EPSS
1.1%
CVE-2018-17302 MEDIUM POC This Month

Stored XSS exists in views/fields/wysiwyg.js in EspoCRM 5.3.6 via a /#Email/view saved draft message. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Espocrm
NVD GitHub
CVSS 3.0
5.4
EPSS
0.6%
CVE-2018-17301 MEDIUM POC This Month

Reflected XSS exists in client/res/templates/global-search/name-field.tpl in EspoCRM 5.3.6 via /#Account in the search panel. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Espocrm
NVD GitHub
CVSS 3.0
5.4
EPSS
0.7%
CVE-2014-7987 MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in EspoCRM before 2.6.0 allows remote attackers to inject arbitrary web script or HTML via the desc parameter in an errors action to install/index.php. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS PHP Espocrm
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2014-7986 MEDIUM POC PATCH This Month

install/index.php in EspoCRM before 2.6.0 allows remote attackers to re-install the application via a 1 value in the installProcess parameter. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP Privilege Escalation Espocrm
NVD
CVSS 2.0
5.0
EPSS
0.6%
CVE-2014-7985 CRITICAL POC PATCH Act Now

Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary local files via a .. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal PHP Espocrm
NVD
CVSS 2.0
10.0
EPSS
1.7%
CVE-2014-8330 LOW POC Monitor

Cross-site scripting (XSS) vulnerability in EspoCRM allows remote authenticated users to inject arbitrary web script or HTML via the Name field in a new account. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Espocrm
NVD
CVSS 2.0
3.5
EPSS
0.2%
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

EspoCRM's POST /api/v1/EmailTemplate/:id/prepare endpoint exposes an IDOR-class ACL bypass (CWE-639) allowing authenticated low-privileged users to exfiltrate all field values from arbitrary Contact, Lead, Account, or User records prior to version 9.3.5. By supplying a target entity's email address as an attacker-controlled lookup key, the endpoint resolves and returns the full record without enforcing read:own or read:team ACL restrictions. A publicly available proof-of-concept exists; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV listing absent), but the low attack complexity and public POC meaningfully elevate real-world risk.

Authentication Bypass Espocrm
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

Stored cross-site scripting in EspoCRM 9.3.3 and below enables an authenticated attacker to execute arbitrary JavaScript in the browser session of any user who opens a crafted SVG attachment. The attack exploits EspoCRM's inline SVG serving behavior combined with a CSP misconfiguration that blocks inline scripts but permits same-origin external scripts - allowing a separately uploaded attacker-controlled JavaScript file (also hosted on the same EspoCRM origin) to be loaded and executed. A public exploit exists per the vendor's own GitHub security advisory; no CISA KEV listing has been identified at time of analysis.

XSS Espocrm
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

Path traversal in EspoCRM admin template management allows authenticated administrators to read, create, overwrite, or delete arbitrary files on the server filesystem. The vulnerability affects all versions prior to 9.3.4 and stems from unsanitized `name` and `scope` parameters in template path construction. Publicly available exploit code exists (GitHub security advisory GHSA-44c3-xjfp-3jrh), though no CISA KEV listing or confirmed active exploitation. CVSS 7.2 reflects high impact across confidentiality, integrity, and availability, but exploitation requires high-privilege (admin) access, significantly limiting real-world exposure to insider threats or compromised admin credentials.

Information Disclosure Espocrm
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Path traversal in EspoCRM's formula scripting engine allows authenticated administrators to achieve arbitrary file read/write on the web server by manipulating attachment sourceId fields. The vulnerability chains unsanitized user input with filesystem operations, enabling admins to overwrite or access files anywhere within PHP's open_basedir restriction. Publicly available exploit code exists. Vendor-released patch version 9.3.4 addresses this critical issue. Despite the 9.1 CVSS score and Changed scope indicating potential container escape or cross-tenant impact, EPSS data was not provided to assess real-world exploitation likelihood.

Path Traversal Espocrm
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly from the repository without verifying that the current user has authorization to access it. Any authenticated user with Email:create and Import permissions can exploit this to read another user's .eml attachment contents by importing them as a new email into the attacker's mailbox, while the original victim attachment record is deleted as a side effect of the import flow. This is inconsistent with the standard attachment download path, which enforces ACL checks before returning file data, and is practically exploitable because attachment IDs are commonly exposed in normal UI and API workflows such as stream payloads and download links. This issue is fixed in version 9.3.4.

Authentication Bypass Espocrm
NVD GitHub
EPSS 0% CVSS 3.5
LOW POC PATCH Monitor

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual HTTP request resolves hostnames through curl's internal resolver (gethostbyname()), allowing the two lookups to return different IP addresses for the same hostname. A secondary issue exists where an empty DNS result (due to DNS failure, IPv6-only domains, or non-existent hostnames) causes the validation to implicitly allow the host without further checks. An authenticated attacker with default attachment creation access can exploit this gap to bypass internal IP restrictions and scan internal network ports, confirm the existence of internal hosts, and interact with internal HTTP-based services, though data extraction from binary protocol services and remote code execution are not possible through this endpoint. This issue has been fixed in version 9.3.4.

RCE SSRF Espocrm
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM POC PATCH This Month

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes. The vulnerability exists because server-side Handlebars templates render the post field using unescaped triple-brace syntax, the Markdown processor preserves inline HTML by default, and the rendering pipeline explicitly skips sanitization for fields present in additionalData, creating a path where attacker-controlled HTML is accepted, stored, and rendered directly into emails without any escaping. Since the emails are sent using the system's configured SMTP identity (such as an administrative sender address), the injected content appears fully trusted to recipients, enabling phishing attacks, user tracking via embedded resources like image beacons, and UI manipulation within email content. The @mention feature further increases the impact by allowing targeted delivery of malicious emails to specific users. This issue has been fixed in version 9.3.4.

XSS Espocrm
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as octal notation (e.g., 0177.0.0.1 instead of 127.0.0.1). This is caused by HostCheck::isNotInternalHost() function relying on PHP's filter_var(..., FILTER_VALIDATE_IP), which does not recognize alternative IP formats, causing the validation to fall through to a DNS lookup that returns no records and incorrectly treats the host as safe, however the cURL subsequently normalizes the address and connects to the loopback destination. Through the confirmed /api/v1/Attachment/fromImageUrl endpoint, an authenticated user can force the server to make requests to loopback-only services and store the fetched response as an attachment. This vulnerability is distinct from CVE-2023-46736 (which involved redirect-based SSRF) and may allow access to internal resources reachable from the application runtime. This issue has been fixed in version 9.3.4.

SSRF Espocrm
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 8.6
HIGH POC This Week

Authorization bypass in EspoCRM 5.8.5 lets an authenticated low-privilege user reuse or manipulate Basic-Authorization and Espo-Authorization tokens to authenticate as a different user, including administrators, and inherit their privileges. The flaw stems from the login path never binding an auth token to its owning user, so a token valid for one account is accepted for another when passwords collide, also defeating two-factor authentication. Publicly available exploit code exists (Exploit-DB 48376); EPSS is low at 0.35%, and the issue is not listed in CISA KEV.

Authentication Bypass Espocrm
NVD Exploit-DB GitHub VulDB
EPSS 0% CVSS 4.5
MEDIUM POC PATCH Monitor

EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Request Smuggling Information Disclosure Espocrm
NVD GitHub
EPSS 0% CVSS 7.0
HIGH POC PATCH This Month

EspoCRM is a free, open-source customer relationship management platform. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection Espocrm
NVD GitHub
EPSS 0% CVSS 3.1
LOW POC PATCH Monitor

EspoCRM is an Open Source Customer Relationship Management software. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. Public exploit code available.

Information Disclosure Espocrm
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

EspoCRM is an Open Source Customer Relationship Management software. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

XSS Espocrm
NVD GitHub
EPSS 1% CVSS 5.9
MEDIUM POC PATCH This Month

EspoCRM is an Open Source Customer Relationship Management software. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required. Public exploit code available.

Code Injection Espocrm
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

EspoCRM is an Open Source CRM (Customer Relationship Management) software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Espocrm
NVD GitHub
EPSS 1% CVSS 4.7
MEDIUM This Month

An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload PHP RCE +1
NVD
EPSS 1% CVSS 4.7
MEDIUM This Month

An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload PHP RCE +1
NVD
EPSS 0% CVSS 5.9
MEDIUM POC This Month

EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Espocrm
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Espocrm
NVD
EPSS 1% CVSS 8.0
HIGH POC This Week

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Espocrm
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any extension to the server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Espocrm
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

EspoCRM 6.1.6 and prior suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Espocrm
NVD
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

An issue was discovered in EspoCRM before 5.6.9. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Espocrm
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

An issue was discovered in EspoCRM before 5.6.9. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Espocrm
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

An issue was discovered in EspoCRM before 5.6.9. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Espocrm
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

An issue was discovered in EspoCRM before 5.6.9. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Espocrm
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

An issue was discovered in EspoCRM before 5.6.9. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Espocrm
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

EspoCRM 5.6.4 is vulnerable to user password hash enumeration. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Espocrm
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Espocrm
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the api/v1/Document functionality for storing documents in the account tab. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Espocrm
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

An issue was discovered in EspoCRM before 5.6.6. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Espocrm
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

An issue was discovered in EspoCRM before 5.6.6. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Espocrm
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

An issue was discovered in EspoCRM before 5.6.6. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Espocrm
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Espocrm
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Stored XSS exists in views/fields/wysiwyg.js in EspoCRM 5.3.6 via a /#Email/view saved draft message. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Espocrm
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Reflected XSS exists in client/res/templates/global-search/name-field.tpl in EspoCRM 5.3.6 via /#Account in the search panel. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Espocrm
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in EspoCRM before 2.6.0 allows remote attackers to inject arbitrary web script or HTML via the desc parameter in an errors action to install/index.php. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS PHP Espocrm
NVD
EPSS 1% CVSS 5.0
MEDIUM POC PATCH This Month

install/index.php in EspoCRM before 2.6.0 allows remote attackers to re-install the application via a 1 value in the installProcess parameter. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP Privilege Escalation Espocrm
NVD
EPSS 2% CVSS 10.0
CRITICAL POC PATCH Act Now

Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary local files via a .. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal PHP Espocrm
NVD
EPSS 0% CVSS 3.5
LOW POC Monitor

Cross-site scripting (XSS) vulnerability in EspoCRM allows remote authenticated users to inject arbitrary web script or HTML via the Name field in a new account. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Espocrm
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy