CVE-2026-33656 | THREATINT

Description

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities. Because `sourceId` is concatenated directly into a file path with no sanitization in `EspoUploadDir::getFilePath()`, an attacker can redirect any file read or write operation to an arbitrary path within the web server's `open_basedir` scope. Version 9.3.4 fixes the issue.

PUBLISHED Reserved 2026-03-23 | Published 2026-04-22 | Updated 2026-04-23 | Assigner GitHub_M

CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

< 9.3.4

affected

References

github.com/...spocrm/security/advisories/GHSA-7922-x7cf-j54x exploit

github.com/...spocrm/security/advisories/GHSA-7922-x7cf-j54x

cve.org (CVE-2026-33656)

nvd.nist.gov (CVE-2026-33656)

Download JSON