Path traversal in EspoCRM - CVE-2026-33656
Published: April 23, 2026
Vulnerability identifier: #VU126933
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33656
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: EspoCRM
Affected software:
EspoCRM
EspoCRM
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to path traversal in EspoUploadDir::getFilePath() when processing an attachment sourceId value modified through the formula engine. A remote privileged user can overwrite the sourceId field on Attachment entities and upload crafted content to write files to an arbitrary path and execute arbitrary code.
Exploitation is possible only by an admin user. The issue affects both file read and write operations, and intermediate directories can be created as needed.
How to mitigate CVE-2026-33656
Install security update from vendor's website.