Stored HTML Injection Vulnerability in EspoCRM by EspoCRM Team
CVE-2026-33657

4.6MEDIUM

Key Information:

Vendor: Espocrm
Status: Espocrm
Vendor: CVE Published:; 13 April 2026

What is CVE-2026-33657?

EspoCRM, an open source customer relationship management application, is vulnerable to a stored HTML injection. This vulnerability affects versions 9.3.3 and earlier, allowing authenticated users with standard privileges to inject malicious HTML code into system-generated email notifications. The issue arises from the use of unescaped triple-brace syntax in Handlebars templates combined with default inline HTML preservation in the Markdown processor. As a result, attacker-controlled HTML can be stored and rendered directly in emails, leading to potential phishing attacks and the ability to manipulate the user interface within the email content. The vulnerability also enables targeted delivery of malicious emails through the @mention feature, making it a significant concern for users receiving system emails. The issue has been addressed in version 9.3.4.

Affected Version(s)

espocrm < 9.3.4

References

https://github.com/espocrm/espocrm/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/espocrm/espocrm/releases/tag/9.3.4

x_refsource_MISC

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 13, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33657 Data

JSON

Espocrm

What is CVE-2026-33657?

Affected Version(s)

References

CVSS V3.1

Timeline