Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

espocrm — Vulnerabilities & Security Advisories 18

Browse all 18 CVE security advisories affecting espocrm. AI-powered Chinese analysis, POCs, and references for each vulnerability.

EspoCRM serves as a customer relationship management platform for sales, marketing, and service operations. Historically, it has faced vulnerabilities including remote code execution, cross-site scripting, and privilege escalation, often stemming from insufficient input validation and access control flaws. The platform's 18 recorded CVEs highlight recurring issues in its API and file handling components. While no major public security incidents have been widely documented, the consistent pattern of vulnerabilities suggests a need for rigorous patch management and security hardening. Organizations implementing EspoCRM should prioritize regular updates and implement least privilege configurations to mitigate potential exploitation risks.

Top products by espocrm: EspoCRM
CVE IDTitleCVSSSeverityPublished
CVE-2026-33733 EspoCRM has Admin TemplateManager path traversal that allows arbitrary file read write and delete — espocrmCWE-23 7.2 High2026-04-22
CVE-2026-33656 EspoCRM vulnerable to authenticated RCE via Formula with path traversal in attachment `sourceId`, exploitable by admin user — espocrmCWE-22 9.1 Critical2026-04-22
CVE-2026-33740 EspoCRM: Email importEml can import and delete another user's attachment by raw fileId — espocrmCWE-639 5.4 Medium2026-04-13
CVE-2026-33659 EspoCRM: SSRF via DNS Rebinding in Attachment fromImageUrl Endpoint Allows Internal Network Access — espocrmCWE-918 3.5 Low2026-04-13
CVE-2026-33657 EspoCRM: Stored HTML injection in email notifications about stream notes via unescaped post field — espocrmCWE-80 4.6 Medium2026-04-13
CVE-2026-33534 EspoCRM has authenticated SSRF via internal-host validation bypass using alternative IPv4 notation — espocrmCWE-918 4.3 Medium2026-04-13
CVE-2020-37094 EspoCRM 5.8.5 - Privilege Escalation — EspoCRMCWE-639 9.8 Critical2026-02-03
CVE-2025-59428 EspoCRM allows arbitrary user creation via stored SVG injection and CSRF — espocrmCWE-352 5.4 Medium2025-10-14
CVE-2025-52892 EspoCRM is vulnerable to access denial through double slash in URI corrupting router cache — espocrmCWE-444 4.5 Medium2025-08-05
CVE-2025-52575 EspoCRM vulnerable to LDAP Injection through Improper Neutralization of Special Elements — espocrmCWE-90 6.5 Medium2025-07-21
CVE-2025-32390 EspoCRM vulnerable to HTML Injection into phishing, which may lead to account takeover — espocrmCWE-74 4.6AIMediumAI2025-05-12
CVE-2025-32789 EspoCRM Allows Potential Disclosure of Sensitive Information in the User Sorting Function — espocrmCWE-200 3.1 Low2025-04-16
CVE-2025-32385 EspoCRM allows unrestricted Embedding in Iframe dashlet — espocrmCWE-1021 5.3 Medium2025-04-15
CVE-2024-24818 EspoCRM weakness in "Forgot password" — espocrmCWE-610 5.9 Medium2024-02-29
CVE-2023-46736 Server-Side Request Forgery in espocrm — espocrmCWE-918 5.3 Medium2023-12-05
CVE-2023-5966 Unrestricted Upload of File with Dangerous Type in EspoCRM — EspoCRMCWE-434 4.7 Medium2023-11-30
CVE-2023-5965 Unrestricted Upload of File with Dangerous Type in EspoCRM — EspoCRMCWE-434 4.7 Medium2023-11-30
CVE-2021-3539 EspoCRM Avatar Persistent XSS — EspoCRMCWE-79 6.3 Medium2021-08-04

This page lists every published CVE security advisory associated with espocrm. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.