Description
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes. The vulnerability exists because server-side Handlebars templates render the post field using unescaped triple-brace syntax, the Markdown processor preserves inline HTML by default, and the rendering pipeline explicitly skips sanitization for fields present in additionalData, creating a path where attacker-controlled HTML is accepted, stored, and rendered directly into emails without any escaping. Since the emails are sent using the system's configured SMTP identity (such as an administrative sender address), the injected content appears fully trusted to recipients, enabling phishing attacks, user tracking via embedded resources like image beacons, and UI manipulation within email content. The @mention feature further increases the impact by allowing targeted delivery of malicious emails to specific users. This issue has been fixed in version 9.3.4.
Published: 2026-04-13
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: HTML Injection in Emails
Action: Immediate Patch
AI Analysis

Impact

EspoCRM, an open-source CRM platform, contains a stored HTML injection flaw affecting versions 9.3.3 and earlier. The vulnerability allows any authenticated non‑administrative user to embed arbitrary HTML into the Post field of stream activity notes. Because server‑side Handlebars templates render this field with triple‑brace syntax and the Markdown processor preserves inline HTML, the injected markup is saved and later inserted unescaped into system‑generated email notifications. Recipients view these emails through the system’s SMTP identity, which appears trusted, enabling phishing, tracking via embedded resources such as image beacons, and manipulation of the email user interface.

Affected Systems

The affected product is EspoCRM version 9.3.3 and earlier, released by the EspoCRM team. The issue is fixed in version 9.3.4, so any deployment running an earlier release is vulnerable. Users should verify the installed version and plan to upgrade if necessary.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate severity, and the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires authentication and the creation of a stream note, so only users with permissions to add notes can abuse it. Once the attacker crafts a malicious post, the content is stored and rendered into outbound emails, which can be targeted to specific recipients via the @mention feature, amplifying the attack’s impact.

Generated by OpenCVE AI on April 13, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply EspoCRM 9.3.4 or later
  • Restrict stream note creation to trusted users or implement content sanitization
  • Validate outbound email templates to ensure no unexpected HTML is rendered

Generated by OpenCVE AI on April 13, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Espocrm
Espocrm espocrm
Vendors & Products Espocrm
Espocrm espocrm

Mon, 13 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes. The vulnerability exists because server-side Handlebars templates render the post field using unescaped triple-brace syntax, the Markdown processor preserves inline HTML by default, and the rendering pipeline explicitly skips sanitization for fields present in additionalData, creating a path where attacker-controlled HTML is accepted, stored, and rendered directly into emails without any escaping. Since the emails are sent using the system's configured SMTP identity (such as an administrative sender address), the injected content appears fully trusted to recipients, enabling phishing attacks, user tracking via embedded resources like image beacons, and UI manipulation within email content. The @mention feature further increases the impact by allowing targeted delivery of malicious emails to specific users. This issue has been fixed in version 9.3.4.
Title EspoCRM: Stored HTML injection in email notifications about stream notes via unescaped post field
Weaknesses CWE-116
CWE-80
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Espocrm Espocrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T20:48:47.307Z

Reserved: 2026-03-23T15:23:42.219Z

Link: CVE-2026-33657

cve-icon Vulnrichment

Updated: 2026-04-13T20:48:34.633Z

cve-icon NVD

Status : Received

Published: 2026-04-13T20:16:34.143

Modified: 2026-04-13T21:16:24.627

Link: CVE-2026-33657

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:26Z

Weaknesses