EspoCRM's TemplateManager accepts attacker-controlled name and scope parameters without normalizing paths, enabling an authenticated administrator to use '../' sequences to escape the intended template directory. This allows the admin to read, create, overwrite, or delete arbitrary files that resolve to body.tpl or subject.tpl within the web application's user filesystem. The flaw can be exploited to access sensitive configuration files, modify application logic, or delete critical data, potentially leading to further compromise of the system.

All EspoCRM installations running a version earlier than 9.3.4 are vulnerable. The issue is confined to environments where the application runs under a user identity that has write permissions to the directories where body.tpl and subject.tpl reside, typically the web server's user account. Only users with administrative privileges to the TemplateManager interface are able to exploit the error.

The CVSS score of 7.2 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. The attack requires an authenticated admin session, so exploitation is limited to accounts with TemplateManager access, but the impact of modifying or deleting configuration or template files can lead to data loss or further privilege escalation. Regular users without admin rights cannot exploit the flaw, but may be affected by data loss caused by an admin attacker.