CVE-2025-32390
CVE-2025-32390 is a high-severity vulnerability in Espocrm with a CVSS 3.x base score of 8.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-74.
Key facts
- Severity: High (CVSS 3.x base score 8.5)
- CVSS v4: 7.0
- EPSS exploit prediction: 0% (23rd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-14333
- Weakness: CWE-74
- Affected product: Espocrm
- Published:
- Last modified:
Description
EspoCRM is a free, open-source customer relationship management platform. Prior to version 9.0.8, HTML Injection in Knowledge Base (KB) articles leads to complete page defacement imitating the login page. Authenticated users with the read knowledge article privilege can browse to the KB article and if they submit their credentials, they get captured in plain text. The vulnerability is allowed by overly permissive HTML editing being allowed on the KB articles. Any authenticated user with the privilege to read KB articles is impacted. In an enterprise with multiple applications, the malicious KB article could be edited to match the login pages of other applications, which would make it useful for credential harvesting against other applications as well. Version 9.0.8 contains a patch for the issue.
Frequently asked questions
- What is CVE-2025-32390?
- EspoCRM is a free, open-source customer relationship management platform. Prior to version 9.0.8, HTML Injection in Knowledge Base (KB) articles leads to complete page defacement imitating the login page. Authenticated users with the read knowledge article privilege can browse to the KB article and if they submit their credentials, they get captured in plain text. The vulnerability is allowed by overly permissive HTML editing being allowed on the KB articles. Any authenticated user with the privilege to read KB articles is impacted. In an enterprise with multiple applications, the malicious KB article could be edited to match the login pages of other applications, which would make it useful for credential harvesting against other applications as well. Version 9.0.8 contains a patch for the issue.
- How severe is CVE-2025-32390?
- CVE-2025-32390 has a CVSS 3.x base score of 8.5, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity low, and availability none.
- Is CVE-2025-32390 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (23rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-32390?
- CVE-2025-32390 affects Espocrm. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-32390?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2025-32390 have an EU (EUVD) identifier?
- Yes. CVE-2025-32390 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-14333.
- When was CVE-2025-32390 published?
- CVE-2025-32390 was published on 2025-05-12 and last updated on 2026-06-17.
References
- https://github.com/espocrm/espocrm/commit/6b58d30eec8864de52844bfb8dac346ce5c729d7
- https://github.com/espocrm/espocrm/security/advisories/GHSA-qrwp-v8v3-hqp2
Affected products (1)
- cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:*
More vulnerabilities in Espocrm
- CVE-2014-7985 — Critical (CVSS 10.0): Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary…
- CVE-2020-37094 — Critical (CVSS 9.8): EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by…
- CVE-2026-33656 — Critical (CVSS 9.1): EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in…
- CVE-2022-38843 — High (CVSS 8.8): EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any…
- CVE-2019-14351 — High (CVSS 8.8): EspoCRM 5.6.4 is vulnerable to user password hash enumeration. A malicious authenticated attacker can brute-force a…
- CVE-2022-38844 — High (CVSS 8.0): CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating…
Other CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities
- CVE-2026-25586 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty…
- CVE-2026-25520 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped.…
- CVE-2025-20265 — Critical (CVSS 10.0): A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2025-20337 — Critical (CVSS 10.0): A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2025-20281 — Critical (CVSS 10.0): A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2024-42472 — Critical (CVSS 10.0): Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious…
Browse all CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities →