Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

espocrm — Vulnerabilities & Security Advisories 18

Browse all 18 CVE security advisories affecting espocrm. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by espocrm:EspoCRM
CVE IDTitleCVSSSeverityPublished
CVE-2026-33733 EspoCRM has Admin TemplateManager path traversal that allows arbitrary file read write and delete — espocrmCWE-23 7.2 High2026-04-22
CVE-2026-33656 EspoCRM vulnerable to authenticated RCE via Formula with path traversal in attachment `sourceId`, exploitable by admin user — espocrmCWE-22 9.1 Critical2026-04-22
CVE-2026-33740 EspoCRM: Email importEml can import and delete another user's attachment by raw fileId — espocrmCWE-639 5.4 Medium2026-04-13
CVE-2026-33659 EspoCRM: SSRF via DNS Rebinding in Attachment fromImageUrl Endpoint Allows Internal Network Access — espocrmCWE-918 3.5 Low2026-04-13
CVE-2026-33657 EspoCRM: Stored HTML injection in email notifications about stream notes via unescaped post field — espocrmCWE-80 4.6 Medium2026-04-13
CVE-2026-33534 EspoCRM has authenticated SSRF via internal-host validation bypass using alternative IPv4 notation — espocrmCWE-918 4.3 Medium2026-04-13
CVE-2020-37094 EspoCRM 5.8.5 - Privilege Escalation — EspoCRMCWE-639 9.8 Critical2026-02-03
CVE-2025-59428 EspoCRM allows arbitrary user creation via stored SVG injection and CSRF — espocrmCWE-352 5.4 Medium2025-10-14
CVE-2025-52892 EspoCRM is vulnerable to access denial through double slash in URI corrupting router cache — espocrmCWE-444 4.5 Medium2025-08-05
CVE-2025-52575 EspoCRM vulnerable to LDAP Injection through Improper Neutralization of Special Elements — espocrmCWE-90 6.5 Medium2025-07-21
CVE-2025-32390 EspoCRM vulnerable to HTML Injection into phishing, which may lead to account takeover — espocrmCWE-74 4.6AIMediumAI2025-05-12
CVE-2025-32789 EspoCRM Allows Potential Disclosure of Sensitive Information in the User Sorting Function — espocrmCWE-200 3.1 Low2025-04-16
CVE-2025-32385 EspoCRM allows unrestricted Embedding in Iframe dashlet — espocrmCWE-1021 5.3 Medium2025-04-15
CVE-2024-24818 EspoCRM weakness in "Forgot password" — espocrmCWE-610 5.9 Medium2024-02-29
CVE-2023-46736 Server-Side Request Forgery in espocrm — espocrmCWE-918 5.3 Medium2023-12-05
CVE-2023-5966 Unrestricted Upload of File with Dangerous Type in EspoCRM — EspoCRMCWE-434 4.7 Medium2023-11-30
CVE-2023-5965 Unrestricted Upload of File with Dangerous Type in EspoCRM — EspoCRMCWE-434 4.7 Medium2023-11-30
CVE-2021-3539 EspoCRM Avatar Persistent XSS — EspoCRMCWE-79 6.3 Medium2021-08-04

This page lists every published CVE security advisory associated with espocrm. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.