Relative Path Traversal in EspoCRM - CVE-2026-33733
Published: April 23, 2026
Vulnerability identifier: #VU126932
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33733
CWE-ID: CWE-23
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: EspoCRM
Affected software:
EspoCRM
EspoCRM
Detailed vulnerability description
The vulnerability allows a remote user to read, create, overwrite, or delete arbitrary files.
The vulnerability exists due to relative path traversal in the TemplateManager admin endpoints when handling attacker-controlled name and scope parameters in template path construction. A remote privileged user can send specially crafted requests with ../ sequences to read, create, overwrite, or delete arbitrary files.
The file operation is limited to paths that resolve to body.tpl or subject.tpl under the web application's filesystem permissions.
How to mitigate CVE-2026-33733
Install security update from vendor's website.