| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
| CVE-2026-33656 | 22 Apr 202620:01 | β | attackerkb | |
| CVE-2026-33656 | 25 Mar 202612:58 | β | circl | |
| EspoCRM θ·―εΎιεζΌζ΄ | 22 Apr 202600:00 | β | cnnvd | |
| CVE-2026-33656 EspoCRM vulnerable to authenticated RCE via Formula with path traversal in attachment `sourceId`, exploitable by admin user | 22 Apr 202620:01 | β | cvelist | |
| EUVD-2026-25081 | 22 Apr 202620:01 | β | euvd | |
| CVE-2026-33656 | 22 Apr 202621:17 | β | nvd | |
| CVE-2026-33656 EspoCRM vulnerable to authenticated RCE via Formula with path traversal in attachment `sourceId`, exploitable by admin user | 22 Apr 202620:01 | β | osv | |
| π EspoCRM 9.3.3 Remote Code Execution / Path Traversal | 25 Mar 202600:00 | β | packetstorm | |
| π EspoCRM 9.3.3 Remote Code Execution | 17 Apr 202600:00 | β | packetstorm | |
| PT-2026-27774 | 25 Mar 202600:00 | β | ptsecurity |
[
{
"vendor": "espocrm",
"product": "espocrm",
"versions": [
{
"version": "< 9.3.4",
"status": "affected"
}
]
}
]| Parameter | Position | Path | Description | CWE |
|---|---|---|---|---|
| name | request body | api/v1/Attachment | Create an attachment entry to abuse path traversal via sourceId manipulation in the formula engine | CWE-22 |
| type | request body | api/v1/Attachment | Create an attachment entry to abuse path traversal via sourceId manipulation in the formula engine | CWE-22 |
| relatedType | request body | api/v1/Attachment | Create an attachment entry to abuse path traversal via sourceId manipulation in the formula engine | CWE-22 |
| field | request body | api/v1/Attachment | Create an attachment entry to abuse path traversal via sourceId manipulation in the formula engine | CWE-22 |
| isBeingUploaded | request body | api/v1/Attachment | Create an attachment entry to abuse path traversal via sourceId manipulation in the formula engine | CWE-22 |
| size | request body | api/v1/Attachment | Create an attachment entry to abuse path traversal via sourceId manipulation in the formula engine | CWE-22 |
| expression | request body | api/v1/Formula/action/run | Execute a crafted formula expression to bypass ACLs and modify attachment path (path traversal via sourceId) | CWE-22 |
| targetType | request body | api/v1/Formula/action/run | Execute a crafted formula expression to bypass ACLs and modify attachment path (path traversal via sourceId) | CWE-22 |
| targetId | request body | api/v1/Formula/action/run | Execute a crafted formula expression to bypass ACLs and modify attachment path (path traversal via sourceId) | CWE-22 |
| attachment_id | binary | api/v1/Attachment/chunk/{attachment_id} | Upload PHP payload in chunked attachment upload to placed web shell | CWE-22 |
Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation