VYPR
Vendor

Espocrm

Products
1
CVEs
43
Across products
43
Status
Private

Products

1

Recent CVEs

43
View all 43 CVEs →
  • CVE-2026-33656CriApr 22, 2026
    risk 0.52cvss 9.1epss 0.01

    EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities.…

  • CVE-2026-33733HigApr 22, 2026
    risk 0.40cvss 7.2epss 0.00

    EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled `name` and `scope` values and pass them into template path construction without normalization or traversal…

  • CVE-2026-33741MedMay 19, 2026
    risk 0.37cvss 6.8epss 0.00

    EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later serve those SVG files as top-level inline documents through both the attachment…

  • CVE-2026-41141MedMay 28, 2026
    risk 0.35cvss 6.5epss 0.00

    EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity (Contact, Lead, Account, or User) without performing an ACL check. An…

  • CVE-2018-17302MedSep 21, 2018
    risk 0.35cvss 5.4epss 0.01

    Stored XSS exists in views/fields/wysiwyg.js in EspoCRM 5.3.6 via a /#Email/view saved draft message.

  • CVE-2018-17301MedSep 21, 2018
    risk 0.35cvss 5.4epss 0.01

    Reflected XSS exists in client/res/templates/global-search/name-field.tpl in EspoCRM 5.3.6 via /#Account in the search panel.

  • CVE-2023-5966MedNov 30, 2023
    risk 0.31cvss 4.7epss 0.01

    An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution.

  • CVE-2023-5965MedNov 30, 2023
    risk 0.31cvss 4.7epss 0.01

    An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution.

  • CVE-2026-33740MedApr 13, 2026
    risk 0.28cvss 5.4epss 0.00

    EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulnerability where the attacker-supplied fileId parameter is used to fetch any…

  • CVE-2026-33534MedApr 13, 2026
    risk 0.24cvss 4.3epss 0.02

    EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as…

  • CVE-2026-33657MedApr 13, 2026
    risk 0.23cvss 4.6epss 0.00

    EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email…

  • CVE-2026-41160MedMay 28, 2026
    risk 0.21cvss 4.3epss 0.00

    EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a…

  • CVE-2026-33659LowApr 13, 2026
    risk 0.16cvss 3.5epss 0.00

    EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses…

  • CVE-2020-37094Feb 3, 2026
    risk 0.00cvss epss 0.01

    EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user…

  • CVE-2025-59428Oct 14, 2025
    risk 0.00cvss epss 0.00

    EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including administrative accounts, through a combination of stored SVG injection and lack of CSRF protection. An attacker with…

  • CVE-2025-52892Aug 5, 2025
    risk 0.00cvss epss 0.00

    EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes (e.g https://domain//#Admin) and the webserver does not strip the double…

  • CVE-2025-52575Jul 21, 2025
    risk 0.00cvss epss 0.01

    EspoCRM is an Open Source CRM (Customer Relationship Management) software. EspoCRM versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote, unauthenticated attacker can manipulate LDAP queries by injecting crafted input…

  • CVE-2025-32390May 12, 2025
    risk 0.00cvss epss 0.00

    EspoCRM is a free, open-source customer relationship management platform. Prior to version 9.0.8, HTML Injection in Knowledge Base (KB) articles leads to complete page defacement imitating the login page. Authenticated users with the read knowledge article privilege can browse…

  • CVE-2025-32789Apr 16, 2025
    risk 0.00cvss epss 0.00

    EspoCRM is an Open Source Customer Relationship Management software. Prior to version 9.0.7, users can be sorted by their password hash. This flaw allows an attacker to make assumptions about the hash values of other users stored in the password column of the user table, based…

  • CVE-2025-32385Apr 15, 2025
    risk 0.00cvss epss 0.00

    EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups outside of the iframe, potentially…