Espocrm Espocrm
25 CVEs affecting Espocrm Espocrm. Latest disclosed: 2026-05-28. Critical: 2, High: 1.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2020-37094 | Critical | 9.8 | 2026-02-03 | EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can… |
CVE-2026-33656 | Critical | 9.1 | 2026-04-22 | EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating a… |
CVE-2026-33733 | High | 7.2 | 2026-04-22 | EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-control… |
CVE-2026-33741 | Medium | 6.8 | 2026-05-19 | EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through no… |
CVE-2026-41141 | Medium | 6.5 | 2026-05-28 | EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAdd… |
CVE-2025-52575 | Medium | 6.5 | 2025-07-21 | EspoCRM is an Open Source CRM (Customer Relationship Management) software. EspoCRM versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP… |
CVE-2021-3539 | Medium | 6.3 | 2021-08-04 | EspoCRM 6.1.6 and prior suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. This issue was… |
CVE-2024-24818 | Medium | 5.9 | 2024-02-29 | EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victi… |
CVE-2026-33740 | Medium | 5.4 | 2026-04-13 | EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Inse… |
CVE-2025-59428 | Medium | 5.4 | 2025-10-14 | EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including adm… |
CVE-2025-32385 | Medium | 5.3 | 2025-04-15 | EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the… |
CVE-2023-46736 | Medium | 5.3 | 2023-12-05 | EspoCRM is an Open Source CRM (Customer Relationship Management) software. In affected versions there is Server-Side Request Forgery (SSRF) vulnerability via t… |
CVE-2023-5966 | Medium | 4.7 | 2023-11-30 | An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which coul… |
CVE-2023-5965 | Medium | 4.7 | 2023-11-30 | An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbi… |
CVE-2026-33657 | Medium | 4.6 | 2026-04-13 | EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any aut… |
CVE-2025-52892 | Medium | 4.5 | 2025-08-05 | EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a use… |
CVE-2026-41160 | Medium | 4.3 | 2026-05-28 | EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows l… |
CVE-2026-33534 | Medium | 4.3 | 2026-04-13 | EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulne… |
CVE-2026-33659 | Low | 3.5 | 2026-04-13 | EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulne… |
CVE-2025-32789 | Low | 3.1 | 2025-04-16 | EspoCRM is an Open Source Customer Relationship Management software. Prior to version 9.0.7, users can be sorted by their password hash. This flaw allows an at… |