CVE-2026-33657

CVE-2026-33657 is a medium-severity vulnerability in Espocrm with a CVSS 3.x base score of 4.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-80.

Key facts

Description

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes. The vulnerability exists because server-side Handlebars templates render the post field using unescaped triple-brace syntax, the Markdown processor preserves inline HTML by default, and the rendering pipeline explicitly skips sanitization for fields present in additionalData, creating a path where attacker-controlled HTML is accepted, stored, and rendered directly into emails without any escaping. Since the emails are sent using the system's configured SMTP identity (such as an administrative sender address), the injected content appears fully trusted to recipients, enabling phishing attacks, user tracking via embedded resources like image beacons, and UI manipulation within email content. The @mention feature further increases the impact by allowing targeted delivery of malicious emails to specific users. This issue has been fixed in version 9.3.4.

Frequently asked questions

What is CVE-2026-33657?
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes. The vulnerability exists because server-side Handlebars templates render the post field using unescaped triple-brace syntax, the Markdown processor preserves inline HTML by default, and the rendering pipeline explicitly skips sanitization for fields present in additionalData, creating a path where attacker-controlled HTML is accepted, stored, and rendered directly into emails without any escaping. Since the emails are sent using the system's configured SMTP identity (such as an administrative sender address), the injected content appears fully trusted to recipients, enabling phishing attacks, user tracking via embedded resources like image beacons, and UI manipulation within email content. The @mention feature further increases the impact by allowing targeted delivery of malicious emails to specific users. This issue has been fixed in version 9.3.4.
How severe is CVE-2026-33657?
CVE-2026-33657 has a CVSS 3.x base score of 4.6, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is low, integrity low, and availability none.
Is CVE-2026-33657 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (7th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-33657?
CVE-2026-33657 affects Espocrm. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-33657?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-33657 have an EU (EUVD) identifier?
Yes. CVE-2026-33657 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-22081.
When was CVE-2026-33657 published?
CVE-2026-33657 was published on 2026-04-13 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Espocrm

All CVEs affecting Espocrm →

Other CWE-80 vulnerabilities

Browse all CWE-80 vulnerabilities →