Aggregates CVE and security vulnerability intelligence across all espocrm-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk ssrf and vendor risk csrf and related problems; some flaws may lead to vendor impact session compromise, affecting vendor surface software deployment scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-33733 | EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled `name` and `scope` values and pass them into template path construction without normalization or traversal filtering. As a result, an authenticated admin can use `../` sequences to escape the intended template directory and read, create, overwrite, or delete arbitrary files that resolve to `body.tpl` or `subject.tpl` under the web appl | [email protected] | 7.2 | 0.15% | 2026-04-22 | 2026-04-27 |
| CVE-2026-33656 | EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities. Because `sourceId` is concatenated directly into a file path with no sanitization in `EspoUploadDir::getFilePath()`, an attacker can redirect any file read or write operation to an arbitrary path within the web server's `op | [email protected] | 9.1 | 0.05% | 2026-04-22 | 2026-04-27 |
| CVE-2026-33740 | EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly from the repository without verifying that the current user has authorization to access it. Any authenticated user with Email:create and Import permissions can exploit this to read another user's .eml atta | [email protected] | 5.4 | 0.02% | 2026-04-13 | 2026-04-22 |
| CVE-2026-33659 | EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual HTTP request resolves hostnames through curl's internal resolver (gethostbyname()), allowing the two lookups to return different IP addresses for the same hostname. A secondary issue exists where an empty | [email protected] | 3.5 | 0.05% | 2026-04-13 | 2026-04-22 |
| CVE-2026-33657 | EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes. The vulnerability exists because server-side Handlebars templates render the post field using unescaped triple-brace syntax, the Markdown | [email protected] | 4.6 | 0.03% | 2026-04-13 | 2026-04-22 |
| CVE-2026-33534 | EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as octal notation (e.g., 0177.0.0.1 instead of 127.0.0.1). This is caused by HostCheck::isNotInternalHost() function relying on PHP's filter_var(..., FILTER_VALIDATE_IP), which does not recognize alternative IP formats, causing | [email protected] | 4.3 | 0.87% | 2026-04-13 | 2026-04-22 |
| CVE-2020-37094 | EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user information and privileges. | [email protected] | 8.7 | 0.35% | 2026-02-03 | 2026-03-03 |
| CVE-2025-59428 | EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including administrative accounts, through a combination of stored SVG injection and lack of CSRF protection. An attacker with Knowledge Base edit permissions can embed a malicious SVG element containing a link in the body field of an article. When an authenticated user clicks the malicious link, they are redirected to an attacker-controlled HTML page | [email protected] | 5.4 | 0.01% | 2025-10-14 | 2025-10-20 |
| CVE-2025-52892 | EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes (e.g https://domain//#Admin) and the webserver does not strip the double slash, it can cause a corrupted Slim router's cache. This will make the instance unusable until there is a completed rebuild. This is fixed in version 9.1.7. | [email protected] | 4.5 | 0.18% | 2025-08-05 | 2025-09-11 |
| CVE-2025-52575 | EspoCRM is an Open Source CRM (Customer Relationship Management) software. EspoCRM versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote, unauthenticated attacker can manipulate LDAP queries by injecting crafted input containing wildcard characters (e.g., *). This may allow the attacker to bypass authentication controls, enumerate valid usernames, or retrieve sensitive directory information depending on the LDAP server configuration. This | [email protected] | 6.5 | 0.60% | 2025-07-21 | 2025-08-05 |
| CVE-2025-32390 | EspoCRM is a free, open-source customer relationship management platform. Prior to version 9.0.8, HTML Injection in Knowledge Base (KB) articles leads to complete page defacement imitating the login page. Authenticated users with the read knowledge article privilege can browse to the KB article and if they submit their credentials, they get captured in plain text. The vulnerability is allowed by overly permissive HTML editing being allowed on the KB articles. Any authenticated user with the priv | [email protected] | 7.0 | 0.32% | 2025-05-12 | 2025-06-17 |
| CVE-2025-32789 | EspoCRM is an Open Source Customer Relationship Management software. Prior to version 9.0.7, users can be sorted by their password hash. This flaw allows an attacker to make assumptions about the hash values of other users stored in the password column of the user table, based on the results of the sorted list of users. Although unlikely, if an attacker knows the hash value of their password, they can change the password and repeat the sorting until the other user's password hash is fully reveal | [email protected] | 3.1 | 0.46% | 2025-04-16 | 2025-06-18 |
| CVE-2025-32385 | EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups outside of the iframe, potentially tricking users and creating a phishing risk. The iframe URL is user-defined, so an attacker would need to trick the user into specifying a malicious URL. The missing sandbox attribute also allows the remote page to send messa | [email protected] | 5.3 | 0.38% | 2025-04-16 | 2025-06-27 |
| CVE-2024-24818 | EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2. | [email protected] | 5.9 | 0.12% | 2024-03-21 | 2025-06-27 |
| CVE-2023-46736 | EspoCRM is an Open Source CRM (Customer Relationship Management) software. In affected versions there is Server-Side Request Forgery (SSRF) vulnerability via the upload image from url api. Users who have access to `the /Attachment/fromImageUrl` endpoint can specify URL to point to an internal host. Even though there is check for content type, it can be bypassed by redirects in some cases. This SSRF can be leveraged to disclose internal information (in some cases), target internal hosts and bypas | [email protected] | 5.3 | 0.10% | 2023-12-05 | 2024-11-21 |
| CVE-2023-5966 | An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution. | [email protected] | 4.7 | 0.44% | 2023-11-30 | 2026-04-20 |
| CVE-2023-5965 | An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution. | [email protected] | 4.7 | 0.47% | 2023-11-30 | 2026-04-20 |
| CVE-2022-38846 | EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM attack. | [email protected] | 5.9 | 0.15% | 2022-09-16 | 2024-11-21 |
| CVE-2022-38845 | Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious JavaScripting in the browser. | [email protected] | 6.1 | 0.18% | 2022-09-16 | 2024-11-21 |
| CVE-2022-38844 | CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system. | [email protected] | 8.0 | 0.68% | 2022-09-16 | 2024-11-21 |