CVE-2026-33657— EspoCRM: Stored HTML injection in email notifications about stream notes via unescaped post field

EspoCRM: Stored HTML injection in email notifications about stream notes via unescaped post field

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes. The vulnerability exists because server-side Handlebars templates render the post field using unescaped triple-brace syntax, the Markdown processor preserves inline HTML by default, and the rendering pipeline explicitly skips sanitization for fields present in additionalData, creating a path where attacker-controlled HTML is accepted, stored, and rendered directly into emails without any escaping. Since the emails are sent using the system's configured SMTP identity (such as an administrative sender address), the injected content appears fully trusted to recipients, enabling phishing attacks, user tracking via embedded resources like image beacons, and UI manipulation within email content. The @mention feature further increases the impact by allowing targeted delivery of malicious emails to specific users. This issue has been fixed in version 9.3.4.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Web页面中脚本相关HTML标签转义处理不恰当(基本跨站脚本)

EspoCRM 安全漏洞

EspoCRM是EspoCRM开源的一套开源的基于Web的客户关系管理系统（CRM）。该系统提供销售自动化、社区和客户支持等功能。 EspoCRM 9.3.3及之前版本存在安全漏洞，该漏洞源于服务器端Handlebars模板使用未转义的三括号语法渲染post字段，可能导致存储型HTML注入攻击。

N/A

N/A