EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities. Because `sourceId` is concatenated directly into a file path with no sanitization in `EspoUploadDir::getFilePath()`, an attacker can redirect any file read or write operation to an arbitrary path within the web server's `open_basedir` scope. Version 9.3.4 fixes the issue.
References
| Link | Resource |
|---|---|
| https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54x | Exploit Vendor Advisory |
| https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54x | Exploit Vendor Advisory |
Configurations
History
27 Apr 2026, 17:04
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54x - Exploit, Vendor Advisory | |
| First Time |
Espocrm espocrm
Espocrm |
|
| CPE | cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:* |
23 Apr 2026, 15:37
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54x - |
22 Apr 2026, 21:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-22 21:17
Updated : 2026-04-27 17:04
NVD link : CVE-2026-33656
Mitre link : CVE-2026-33656
CVE.ORG link : CVE-2026-33656
JSON object : View
Products Affected
espocrm
- espocrm
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')