SB2026041457 - Multiple vulnerabilities in EspoCRM



SB2026041457 - Multiple vulnerabilities in EspoCRM

Published: April 14, 2026 Updated: May 11, 2026

Security Bulletin ID SB2026041457
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 vulnerabilities.


1) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-33740)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information and delete another user's attachment record.

The vulnerability exists due to improper access control in the POST /api/v1/Email/importEml endpoint and ImportEmlService attachment lookup when processing an attacker-controlled fileId. A remote user can supply a raw fileId referencing another user's .eml attachment to disclose sensitive information and delete another user's attachment record.

Exploitation requires Email:create and Import permissions, and the attacker must know or obtain the target attachment ID.


2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33659)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to access internal network services and disclose limited information.

The vulnerability exists due to server-side request forgery in the POST /api/v1/Attachment/fromImageUrl endpoint when fetching a user-supplied image URL. A remote user can supply a hostname that passes validation but resolves differently at connection time to access internal network services and disclose limited information.

User interaction is not required, and exploitation requires attachment creation access.


3) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2026-33657)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to inject arbitrary HTML into system-generated email notifications.

The vulnerability exists due to improper neutralization of HTML content in email notification templates when rendering Markdown-derived stream note content. A remote user can submit a specially crafted stream note to inject arbitrary HTML into system-generated email notifications.

User interaction is required to open the email notification, and the @mention feature enables targeted delivery to specific users.


4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33534)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to make requests to internal resources and disclose sensitive information.

The vulnerability exists due to server-side request forgery (SSRF) in the /api/v1/Attachment/fromImageUrl endpoint when processing a user-supplied image URL containing an alternative IPv4 representation. A remote user can send a specially crafted request using octal IPv4 notation to make requests to internal resources and disclose sensitive information.

In the confirmed flow, the fetched response is stored as an attachment.


5) Relative Path Traversal (CVE-ID: CVE-2026-33733)

CWE-ID: CWE-23 - Relative Path Traversal

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to read, create, overwrite, or delete arbitrary files.

The vulnerability exists due to relative path traversal in the TemplateManager admin endpoints when handling attacker-controlled name and scope parameters in template path construction. A remote privileged user can send specially crafted requests with ../ sequences to read, create, overwrite, or delete arbitrary files.

The file operation is limited to paths that resolve to body.tpl or subject.tpl under the web application's filesystem permissions.


6) Path traversal (CVE-ID: CVE-2026-33656)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to path traversal in EspoUploadDir::getFilePath() when processing an attachment sourceId value modified through the formula engine. A remote privileged user can overwrite the sourceId field on Attachment entities and upload crafted content to write files to an arbitrary path and execute arbitrary code.

Exploitation is possible only by an admin user. The issue affects both file read and write operations, and intermediate directories can be created as needed.


7) Cross-site scripting (CVE-ID: CVE-2026-33741)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser session.

The vulnerability exists due to cross-site scripting in the attachment and image entry points when serving uploaded SVG files as top-level inline documents that can load same-origin external scripts. A remote user can upload a crafted SVG and a second attacker-controlled JavaScript attachment, then trick a victim into opening the SVG to execute arbitrary JavaScript in the victim's browser session.

User interaction is required to open the crafted SVG, and exploitation is reachable through normal attachment-capable fields.


Remediation

Install update from vendor's website.