Main Vulnerability Database Vulnerabilities #VU134835

Deserialization of Untrusted Data in EspoCRM - CVE-2026-47168

Published: June 18, 2026

Vulnerability identifier: #VU134835

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-47168

CWE-ID: CWE-502

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: EspoCRM

Affected software:
EspoCRM

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in the processing of stored data associated with background operations when deserializing serialized PHP objects from MassAction/Export parameters. A remote privileged user can supply specially crafted serialized data to execute arbitrary code.

The issue is exploitable by an administrator, and the crafted data is later processed by the application.

How to mitigate CVE-2026-47168

Install security update from vendor's website.

Sources

https://github.com/espocrm/espocrm/security/advisories/GHSA-7q78-jjr9-mqcg

Deserialization of Untrusted Data in EspoCRM - CVE-2026-47168

Detailed vulnerability description

How to mitigate CVE-2026-47168

Sources

Please verify you're human