Path Traversal Vulnerability in EspoCRM by EspoCRM
CVE-2026-33733

7.2HIGH

Key Information:

Vendor: Espocrm
Status: Espocrm
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-33733?

EspoCRM, an open source customer relationship management application, contains a vulnerability in the admin template management endpoints that allows authenticated admins to manipulate name and scope values. This can lead to path traversal, enabling the potential for unauthorized reading, creation, overwriting, or deletion of files within the web application's file system. The vulnerability impacts versions prior to 9.3.4, where the issue was resolved, emphasizing the importance of keeping software up-to-date to mitigate security risks.

Affected Version(s)

espocrm < 9.3.4

References

https://github.com/espocrm/espocrm/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33733 Data

JSON

Espocrm

What is CVE-2026-33733?

Affected Version(s)

References

CVSS V3.1

Timeline