CVE-2025-59428

CVE-2025-59428 affects EspoCRM up to version 9.1.8. A combination of stored SVG injection and missing CSRF protection allows an attacker with Knowledge Base edit permissions to cause arbitrary user creation (including admin accounts) by luring an authenticated user to click a malicious SVG link t...

CVE-2025-59428 EspoCRM allows arbitrary user creation via stored SVG injection and CSRF

EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including administrative accounts, through a combination of stored SVG injection and lack of CSRF protection. An attacker with Knowledge Base edit...

PT-2025-41935

Name of the Vulnerable Software and Affected Versions EspoCRM versions prior to 9.1.9 Description EspoCRM is a customer relationship management application. A flaw allows the creation of arbitrary user accounts, including those with administrative privileges. This is achieved through a combinatio...

CVE-2025-32357

In Zammad 6.4.x before 6.4.2, an authenticated agent with knowledge base permissions was able to use the Zammad API to fetch knowledge base content that they have no permission for...

CVE-2025-32357

The CVE-2025-32357 entry affects Zammad versions 6.4.x before 6.4.2. An authenticated agent with knowledge base permissions can use the Zammad API to fetch knowledge base content they are not authorized to access, indicating an API permission bypass vulnerability with potential information disclo...