CVE-2026-33657

April 13, 2026, 9:16 p.m.

4.6
Medium

Description

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes. The vulnerability exists because server-side Handlebars templates render the post field using unescaped triple-brace syntax, the Markdown processor preserves inline HTML by default, and the rendering pipeline explicitly skips sanitization for fields present in additionalData, creating a path where attacker-controlled HTML is accepted, stored, and rendered directly into emails without any escaping. Since the emails are sent using the system's configured SMTP identity (such as an administrative sender address), the injected content appears fully trusted to recipients, enabling phishing attacks, user tracking via embedded resources like image beacons, and UI manipulation within email content. The @mention feature further increases the impact by allowing targeted delivery of malicious emails to specific users. This issue has been fixed in version 9.3.4.

Product(s) Impacted

Vendor Product Versions
Espo
  • Espo Crm
  • <9.3.4, 9.3.4

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a espo espo_crm <9.3.4 / / / / / / /
a espo espo_crm 9.3.4 / / / / / / /

References

https://github.com/espocrm/espocrm/releases/tag/9.3.4
https://github.com/espocrm/espocrm/security/advisories/GHSA-8prm-r5j9-j574
https://github.com/espocrm/espocrm/security/advisories/GHSA-8prm-r5j9-j574

Tags

[email protected]
CWE-80
2026-04-13
CVE-2026-33657

CVSS Score

4.6 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

    View Vector String

Timeline

Published: April 13, 2026, 8:16 p.m.
Last Modified: April 13, 2026, 9:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.