CVE-2026-33656 — AI Deep Analysis Summary

🚨 **Essence**: A Path Traversal vulnerability in EspoCRM's formula script engine. 📉 **Consequences**: Authenticated admins can overwrite the `sourceId` of attachments.…

🛡️ **Root Cause**: **CWE-22 (Path Traversal)**. 🐛 **Flaw**: The `EspoUploadDir::getFilePath` function concatenates the `sourceId` directly into the file path **without sanitization**.…

🏢 **Vendor**: EspoCRM. 📦 **Product**: EspoCRM (Open-source Web CRM). 📅 **Affected Versions**: **Before 9.3.4**. ✅ **Fixed Version**: 9.3.4 or later.

🕵️ **Privileges Required**: **Authenticated Administrator**. 🎯 **Capabilities**: Can overwrite attachment `sourceId` fields. 📂 **Data Impact**: Can read/write **any file** within the web server's `open_basedir` range.…

🔒 **Threshold**: **Medium/High**. 🚫 **Barrier**: Requires **Authenticated Admin** privileges. 🚫 **No UI**: No user interaction needed (UI:N). 🌐 **Network**: Remote exploitation possible (AV:N).…

📜 **Public Exploit**: **No**. 🚫 **PoC Status**: The `pocs` array is empty in the data. 🔍 **Reference**: Official advisory exists (GHSA-7922-x7cf-j54x), but no wild exploitation code is currently public.

🔍 **Self-Check**: 1. Verify EspoCRM version < 9.3.4. 2. Check for admin account exposure. 3. Scan for formula script engine usage in attachments. 🛠️ **Tooling**: Use version fingerprinting tools.…

✅ **Fixed**: **Yes**. 📦 **Patch**: Upgrade to **EspoCRM 9.3.4** or newer. 🔗 **Source**: Official GitHub Security Advisory (GHSA-7922-x7cf-j54x). 🔄 **Action**: Immediate update recommended for all affected instances.

🚧 **Workaround**: 1. **Restrict Admin Access**: Limit who has admin privileges. 2. **Input Validation**: If possible, patch the `EspoUploadDir::getFilePath` logic to sanitize `sourceId`. 3.…

🔥 **Urgency**: **High**. 📊 **CVSS**: 9.8 (Critical). 📈 **Priority**: **P1**. ⚡ **Reason**: Although it requires admin auth, the impact is full file system access within `open_basedir`.…