Security Vulnerability in EspoCRM by EspoCRM Tech
CVE-2026-33656

9.1CRITICAL

Key Information:

Vendor: Espocrm
Status: Espocrm
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-33656?

EspoCRM, an open source customer relationship management application, contains a vulnerability in its built-in formula scripting engine prior to version 9.3.4. This flaw allows an authenticated administrator to modify the sourceId field on Attachment entities. The vulnerability arises because sourceId is directly concatenated into a file path without proper sanitization in the EspoUploadDir::getFilePath() method. Consequently, this allows attackers to redirect file operations to arbitrary paths within the web server's access scope, potentially leading to unauthorized access to sensitive data or system compromise. Version 9.3.4 addresses and resolves this vulnerability.

Affected Version(s)

espocrm < 9.3.4

References

https://github.com/espocrm/espocrm/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33656 Data

JSON

Espocrm

What is CVE-2026-33656?

Affected Version(s)

References

CVSS V3.1

Timeline