{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33656", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T15:23:42.218Z", "datePublished": "2026-04-22T20:01:24.195Z", "dateUpdated": "2026-04-23T13:47:56.303Z"}, "containers": {"cna": {"title": "EspoCRM vulnerable to authenticated RCE via Formula with path traversal in attachment `sourceId`, exploitable by admin user", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54x"}], "affected": [{"vendor": "espocrm", "product": "espocrm", "versions": [{"version": "< 9.3.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T20:01:24.195Z"}, "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities. Because `sourceId` is concatenated directly into a file path with no sanitization in `EspoUploadDir::getFilePath()`, an attacker can redirect any file read or write operation to an arbitrary path within the web server's `open_basedir` scope. Version 9.3.4 fixes the issue."}], "source": {"advisory": "GHSA-7922-x7cf-j54x", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54x", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T13:47:31.281378Z", "id": "CVE-2026-33656", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T13:47:56.303Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "EspoCRM vulnerable to authenticated RCE via Formula with path traversal in attachment `sourceId`, exploitable by admin user", "source": {"advisory": "GHSA-7922-x7cf-j54x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "espocrm", "product": "espocrm", "versions": [{"status": "affected", "version": "< 9.3.4"}]}], "references": [{"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54x", "name": "https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54x", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities. Because `sourceId` is concatenated directly into a file path with no sanitization in `EspoUploadDir::getFilePath()`, an attacker can redirect any file read or write operation to an arbitrary path within the web server's `open_basedir` scope. Version 9.3.4 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T20:01:24.195Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33656", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T13:47:31.281378Z"}}}], "references": [{"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54x", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-23T13:47:52.441Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-33656", "state": "PUBLISHED", "dateUpdated": "2026-04-22T20:01:24.195Z", "dateReserved": "2026-03-23T15:23:42.218Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-22T20:01:24.195Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "C81517CA-6567-41DC-A0A9-309FFD7B48E8", "versionEndExcluding": "9.3.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities. Because `sourceId` is concatenated directly into a file path with no sanitization in `EspoUploadDir::getFilePath()`, an attacker can redirect any file read or write operation to an arbitrary path within the web server's `open_basedir` scope. Version 9.3.4 fixes the issue."}], "id": "CVE-2026-33656", "lastModified": "2026-04-27T17:04:54.173", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T21:17:05.330", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54x"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.3.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "espocrm", "source": "cna", "vendor": "espocrm"}, "product": "espocrm", "vendor": "espocrm"}], "analysis": {"en": {"generated_at": "2026-04-27T08:27:28.766153+00:00", "value": {"mitigation_remediation": ["Upgrade EspoCRM to version 9.3.4 or later, which removes the unsanitized sourceId usage.", "Configure the open_basedir setting or adjust the web server file permissions so that only non\u2011essential directories are accessible, thereby limiting the scope of any potential path traversal.", "Restrict or disable attachment formula editing for privileged users until the patch is applied, and monitor the system for unexpected file modifications or anomalies in attachment records."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "EspoCRM versions earlier than 9.3.4 are affected. The vulnerability applies to the core EspoCRM product provided by espocrm, with no specific sub\u2011product or component mentioned beyond the Attachment handling mechanism.", "description_and_impact": "EspoCRM\u2019s built\u2011in formula engine can update the sourceId field on Attachment entities without sanitization. An authenticated administrator can trigger this function, allowing the sourceId to be set to an arbitrary file path. Because the path is concatenated directly into a file system location, the attacker can read or write any file within the web server\u2019s open_basedir scope. This flaw, a classic example of path traversal (CWE\u201122), can be leveraged to drop malicious files or modify existing ones, potentially leading to the execution of arbitrary code on the host.", "risk_and_exploitability": "The CVSS score of 9.1 categorizes this issue as critical, and although the EPSS score is not available, the absence of such data does not diminish the inherent danger when the flaw is present. The issue is not listed in CISA\u2019s KEV catalog, but the attack vector remains a logged\u2011in administrator who can craft a malicious formula. The exploitation process is straightforward: an attacker needs valid admin credentials, formulates a payload to modify the sourceId, and then performs the desired file read/write operation. The open_basedir setting limits the reachable space but still permits significant malicious actions within the allowed directory scope. Consequently, the likelihood of exploitation is considered high for impacted installations."}}}}, "created": "2026-04-22T21:30:27.595842+00:00", "updated": "2026-04-27T18:42:00.084560+00:00", "vendors": ["espocrm", "espocrm$PRODUCT$espocrm"]}