{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33733", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.560Z", "datePublished": "2026-04-22T20:05:23.809Z", "dateUpdated": "2026-04-23T16:25:04.022Z"}, "containers": {"cna": {"title": "EspoCRM has Admin TemplateManager path traversal that allows arbitrary file read write and delete", "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/espocrm/espocrm/security/advisories/GHSA-44c3-xjfp-3jrh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-44c3-xjfp-3jrh"}], "affected": [{"vendor": "espocrm", "product": "espocrm", "versions": [{"version": "< 9.3.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T20:05:23.809Z"}, "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled `name` and `scope` values and pass them into template path construction without normalization or traversal filtering. As a result, an authenticated admin can use `../` sequences to escape the intended template directory and read, create, overwrite, or delete arbitrary files that resolve to `body.tpl` or `subject.tpl` under the web application user's filesystem permissions. Version 9.3.4 fixes the issue."}], "source": {"advisory": "GHSA-44c3-xjfp-3jrh", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-44c3-xjfp-3jrh", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T13:36:13.697532Z", "id": "CVE-2026-33733", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T16:25:04.022Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "EspoCRM has Admin TemplateManager path traversal that allows arbitrary file read write and delete", "source": {"advisory": "GHSA-44c3-xjfp-3jrh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "espocrm", "product": "espocrm", "versions": [{"status": "affected", "version": "< 9.3.4"}]}], "references": [{"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-44c3-xjfp-3jrh", "name": "https://github.com/espocrm/espocrm/security/advisories/GHSA-44c3-xjfp-3jrh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled `name` and `scope` values and pass them into template path construction without normalization or traversal filtering. As a result, an authenticated admin can use `../` sequences to escape the intended template directory and read, create, overwrite, or delete arbitrary files that resolve to `body.tpl` or `subject.tpl` under the web application user's filesystem permissions. Version 9.3.4 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23: Relative Path Traversal"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T20:05:23.809Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33733", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T13:36:13.697532Z"}}}], "references": [{"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-44c3-xjfp-3jrh", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-23T13:36:24.999Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-33733", "state": "PUBLISHED", "dateUpdated": "2026-04-22T20:05:23.809Z", "dateReserved": "2026-03-23T17:34:57.560Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-22T20:05:23.809Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "C81517CA-6567-41DC-A0A9-309FFD7B48E8", "versionEndExcluding": "9.3.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled `name` and `scope` values and pass them into template path construction without normalization or traversal filtering. As a result, an authenticated admin can use `../` sequences to escape the intended template directory and read, create, overwrite, or delete arbitrary files that resolve to `body.tpl` or `subject.tpl` under the web application user's filesystem permissions. Version 9.3.4 fixes the issue."}], "id": "CVE-2026-33733", "lastModified": "2026-04-27T15:08:59.447", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T21:17:05.970", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-44c3-xjfp-3jrh"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-44c3-xjfp-3jrh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.3.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "espocrm", "source": "cna", "vendor": "espocrm"}, "product": "espocrm", "vendor": "espocrm"}], "analysis": {"en": {"generated_at": "2026-04-27T08:26:56.380442+00:00", "value": {"mitigation_remediation": ["Upgrade to EspoCRM 9.3.4 or later to remove the vulnerability.", "Limit TemplateManager access by reducing the number of administrator accounts or disabling the feature for roles that do not require it.", "Modify file system permissions so that the web application user cannot write outside the intended template directory, adding an additional layer of defense."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary file read/write/delete via path traversal"}, "threat_synthesis": {"affected_systems": "All EspoCRM installations running a version earlier than 9.3.4 are vulnerable. The issue is confined to environments where the application runs under a user identity that has write permissions to the directories where body.tpl and subject.tpl reside, typically the web server's user account. Only users with administrative privileges to the TemplateManager interface are able to exploit the error.", "description_and_impact": "EspoCRM's TemplateManager accepts attacker-controlled name and scope parameters without normalizing paths, enabling an authenticated administrator to use '../' sequences to escape the intended template directory. This allows the admin to read, create, overwrite, or delete arbitrary files that resolve to body.tpl or subject.tpl within the web application's user filesystem. The flaw can be exploited to access sensitive configuration files, modify application logic, or delete critical data, potentially leading to further compromise of the system.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. The attack requires an authenticated admin session, so exploitation is limited to accounts with TemplateManager access, but the impact of modifying or deleting configuration or template files can lead to data loss or further privilege escalation. Regular users without admin rights cannot exploit the flaw, but may be affected by data loss caused by an admin attacker."}}}}, "created": "2026-04-22T22:15:26.135112+00:00", "updated": "2026-04-27T18:42:00.083767+00:00", "vendors": ["espocrm", "espocrm$PRODUCT$espocrm"]}