Vulnerability Description
EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities. Because `sourceId` is concatenated directly into a file path with no sanitization in `EspoUploadDir::getFilePath()`, an attacker can redirect any file read or write operation to an arbitrary path within the web server's `open_basedir` scope. Version 9.3.4 fixes the issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Espocrm | Espocrm | < 9.3.4 |
Related Weaknesses (CWE)
References
- https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54xExploitVendor Advisory
- https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54xExploitVendor Advisory
FAQ
What is CVE-2026-33656?
CVE-2026-33656 is a vulnerability with a CVSS score of 9.1 (CRITICAL). EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an aut...
How severe is CVE-2026-33656?
CVE-2026-33656 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-33656?
Check the references section above for vendor advisories and patch information. Affected products include: Espocrm Espocrm.