Lucene search
K

CVE-2026-33656

πŸ—“οΈΒ 22 Apr 2026Β 20:01:24Reported byΒ GitHub_MTypeΒ 
cve
Β cve
πŸ”—Β web.nvd.nist.govπŸ“°οΈΒ 2Β Media mentionsπŸ‘Β 56Β Views🌐 WEB

Admin can exploit formula to overwrite sourceId and trigger path traversal; fixed in EspoCRM 9.3.4

Related
Detection
Affected
Refs
Paths
Social
NVD
Vulners
Node
espocrmespocrmRange<9.3.4
[
  {
    "vendor": "espocrm",
    "product": "espocrm",
    "versions": [
      {
        "version": "< 9.3.4",
        "status": "affected"
      }
    ]
  }
]
ParameterPositionPathDescriptionCWE
namerequest bodyapi/v1/AttachmentCreate an attachment entry to abuse path traversal via sourceId manipulation in the formula engineCWE-22
typerequest bodyapi/v1/AttachmentCreate an attachment entry to abuse path traversal via sourceId manipulation in the formula engineCWE-22
relatedTyperequest bodyapi/v1/AttachmentCreate an attachment entry to abuse path traversal via sourceId manipulation in the formula engineCWE-22
fieldrequest bodyapi/v1/AttachmentCreate an attachment entry to abuse path traversal via sourceId manipulation in the formula engineCWE-22
isBeingUploadedrequest bodyapi/v1/AttachmentCreate an attachment entry to abuse path traversal via sourceId manipulation in the formula engineCWE-22
sizerequest bodyapi/v1/AttachmentCreate an attachment entry to abuse path traversal via sourceId manipulation in the formula engineCWE-22
expressionrequest bodyapi/v1/Formula/action/runExecute a crafted formula expression to bypass ACLs and modify attachment path (path traversal via sourceId)CWE-22
targetTyperequest bodyapi/v1/Formula/action/runExecute a crafted formula expression to bypass ACLs and modify attachment path (path traversal via sourceId)CWE-22
targetIdrequest bodyapi/v1/Formula/action/runExecute a crafted formula expression to bypass ACLs and modify attachment path (path traversal via sourceId)CWE-22
attachment_idbinaryapi/v1/Attachment/chunk/{attachment_id}Upload PHP payload in chunked attachment upload to placed web shellCWE-22
Rows per page

Data

Build on a solid foundation withΒ Vulners data

WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data

Api

Power your application withΒ Vulners API

The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access

App

Assess and manage vulnerabilities withΒ VulnersΒ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

17 Jun 2026 10:37Current
7.6High risk
Vulners AI Score7.6
CVSS 3.19.1
EPSS0.005
SSVC
56