CVE-2026-33656
Last modified
CVE-2026-33656 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities. EPSS estimates a 0.50% chance of exploitation in the next 30 days.
Description
EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities. Because `sourceId` is concatenated directly into a file path with no sanitization in `EspoUploadDir::getFilePath()`, an attacker can redirect any file read or write operation to an arbitrary path within the web server's `open_basedir` scope. Version 9.3.4 fixes the issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Espocrm | Espocrm | < 9.3.4 |
References
- https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54xExploit, Vendor Advisory
- https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54xExploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-33656?
How severe is CVE-2026-33656?
How do I fix CVE-2026-33656?
Are you affected by CVE-2026-33656?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST