{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33534", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.831Z", "datePublished": "2026-04-13T19:20:04.414Z", "dateUpdated": "2026-04-14T16:28:58.299Z"}, "containers": {"cna": {"title": "EspoCRM has authenticated SSRF via internal-host validation bypass using alternative IPv4 notation", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73"}, {"name": "https://github.com/espocrm/espocrm/releases/tag/9.3.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/espocrm/espocrm/releases/tag/9.3.4"}], "affected": [{"vendor": "espocrm", "product": "espocrm", "versions": [{"version": "< 9.3.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T19:20:04.414Z"}, "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as octal notation (e.g., 0177.0.0.1 instead of 127.0.0.1). This is caused by HostCheck::isNotInternalHost() function relying on PHP's filter_var(..., FILTER_VALIDATE_IP), which does not recognize alternative IP formats, causing the validation to fall through to a DNS lookup that returns no records and incorrectly treats the host as safe, however the cURL subsequently normalizes the address and connects to the loopback destination. Through the confirmed /api/v1/Attachment/fromImageUrl endpoint, an authenticated user can force the server to make requests to loopback-only services and store the fetched response as an attachment. This vulnerability is distinct from CVE-2023-46736 (which involved redirect-based SSRF) and may allow access to internal resources reachable from the application runtime. This issue has been fixed in version 9.3.4."}], "source": {"advisory": "GHSA-h7gx-8gwv-7g73", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:28:00.570907Z", "id": "CVE-2026-33534", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:28:58.299Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33534", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T15:28:00.570907Z"}}}], "references": [{"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:28:11.783Z"}}], "cna": {"title": "EspoCRM has authenticated SSRF via internal-host validation bypass using alternative IPv4 notation", "source": {"advisory": "GHSA-h7gx-8gwv-7g73", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "espocrm", "product": "espocrm", "versions": [{"status": "affected", "version": "< 9.3.4"}]}], "references": [{"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73", "name": "https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/espocrm/espocrm/releases/tag/9.3.4", "name": "https://github.com/espocrm/espocrm/releases/tag/9.3.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as octal notation (e.g., 0177.0.0.1 instead of 127.0.0.1). This is caused by HostCheck::isNotInternalHost() function relying on PHP's filter_var(..., FILTER_VALIDATE_IP), which does not recognize alternative IP formats, causing the validation to fall through to a DNS lookup that returns no records and incorrectly treats the host as safe, however the cURL subsequently normalizes the address and connects to the loopback destination. Through the confirmed /api/v1/Attachment/fromImageUrl endpoint, an authenticated user can force the server to make requests to loopback-only services and store the fetched response as an attachment. This vulnerability is distinct from CVE-2023-46736 (which involved redirect-based SSRF) and may allow access to internal resources reachable from the application runtime. This issue has been fixed in version 9.3.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T19:20:04.414Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33534", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:28:58.299Z", "dateReserved": "2026-03-20T18:05:11.831Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-13T19:20:04.414Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "C81517CA-6567-41DC-A0A9-309FFD7B48E8", "versionEndExcluding": "9.3.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as octal notation (e.g., 0177.0.0.1 instead of 127.0.0.1). This is caused by HostCheck::isNotInternalHost() function relying on PHP's filter_var(..., FILTER_VALIDATE_IP), which does not recognize alternative IP formats, causing the validation to fall through to a DNS lookup that returns no records and incorrectly treats the host as safe, however the cURL subsequently normalizes the address and connects to the loopback destination. Through the confirmed /api/v1/Attachment/fromImageUrl endpoint, an authenticated user can force the server to make requests to loopback-only services and store the fetched response as an attachment. This vulnerability is distinct from CVE-2023-46736 (which involved redirect-based SSRF) and may allow access to internal resources reachable from the application runtime. This issue has been fixed in version 9.3.4."}], "id": "CVE-2026-33534", "lastModified": "2026-04-22T00:12:27.860", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-13T20:16:33.970", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/espocrm/espocrm/releases/tag/9.3.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.3.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "espocrm", "source": "cna", "vendor": "espocrm"}, "product": "espocrm", "vendor": "espocrm"}], "analysis": {"en": {"generated_at": "2026-04-13T21:52:20.651924+00:00", "value": {"mitigation_remediation": ["Upgrade EspoCRM to version 9.3.4 or later"], "summary": {"action": "Patch Immediately", "impact": "Authenticated internal SSRF that can expose loopback services and internal resources"}, "threat_synthesis": {"affected_systems": "The affected product is EspoCRM, versions 9.3.3 and earlier. The vulnerability is fixed in version 9.3.4. Any installation running a vulnerable release is susceptible until it is upgraded.", "description_and_impact": "EspoCRM versions 9.3.3 and older allow an authenticated user to exploit a Server\u2011Side Request Forgery by supplying IPv4 addresses in alternative octal notation that bypasses the internal\u2011host validation logic. The flaw relies on PHP\u2019s filter_var function, which does not recognize alternative IP formats, resulting in the server resolving the address to the loopback host and storing the fetched content as an attachment. This weakness, classified as CWE\u2011918, enables access to services reachable only from the application\u2019s runtime environment.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the vulnerability requires valid authentication to trigger the /api/v1/Attachment/fromImageUrl endpoint, limiting the attack surface. EPSS data are not available, and the issue is not listed in CISA\u2019s KEV catalog. An attacker can log into the application, supply a crafted URL using an obfuscated IP address, and force the server to contact internal services over the loopback interface, potentially exposing sensitive data."}}}}, "created": "2026-04-14T16:18:21.647669+00:00", "updated": "2026-04-14T16:33:28.870554+00:00", "vendors": ["espocrm", "espocrm$PRODUCT$espocrm"]}