EspoCRM’s built‑in formula engine can update the sourceId field on Attachment entities without sanitization. An authenticated administrator can trigger this function, allowing the sourceId to be set to an arbitrary file path. Because the path is concatenated directly into a file system location, the attacker can read or write any file within the web server’s open_basedir scope. This flaw, a classic example of path traversal (CWE‑22), can be leveraged to drop malicious files or modify existing ones, potentially leading to the execution of arbitrary code on the host.

EspoCRM versions earlier than 9.3.4 are affected. The vulnerability applies to the core EspoCRM product provided by espocrm, with no specific sub‑product or component mentioned beyond the Attachment handling mechanism.

The CVSS score of 9.1 categorizes this issue as critical, and although the EPSS score is not available, the absence of such data does not diminish the inherent danger when the flaw is present. The issue is not listed in CISA’s KEV catalog, but the attack vector remains a logged‑in administrator who can craft a malicious formula. The exploitation process is straightforward: an attacker needs valid admin credentials, formulates a payload to modify the sourceId, and then performs the desired file read/write operation. The open_basedir setting limits the reachable space but still permits significant malicious actions within the allowed directory scope. Consequently, the likelihood of exploitation is considered high for impacted installations.