CRITICAL: CVE-2026-33656 (CVSS 9.1) — espocrm espocrm

CVE: CVE-2026-33656

CVSS: 9.1 (3.1) — CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Severity: CRITICAL

Status: Critical advisory

Affected

espocrm espocrm

Summary

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the sourceId field on Attachment entities. Because sourceId is concatenated directly into a file path with no sanitization in EspoUploadDir::getFilePath(), an attacker can redirect any file read or write operation to an arbitrary path within the web server's open_basedir scope. Version 9.3.4 fixes the issue.

Verified Sources

References

https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54x
https://github.com/espocrm/espocrm/security/advisories/GHSA-7922-x7cf-j54x

_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._

Lyrie Verdict

A vulnerability of this severity is exactly what Lyrie's anti-rogue-AI defense is built for: continuous, autonomous monitoring that doesn't wait for human reaction time.

#espocrm #critical