Description
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later serve those SVG files as top-level inline documents through both the attachment and image entry points, resulting in stored cross-user XSS reachable through a normal attachment workflow. Although inline SVG script is blocked by the response CSP, the same CSP still allows same-origin external script. As a result, an attacker can upload a malicious SVG together with a second attacker-controlled JavaScript attachment, then trick another user into opening the SVG to execute JavaScript in the victim's EspoCRM origin. This issue has been fixed in version 9.3.4.
Published: 2026-05-19
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated user to upload an SVG file that contains a script with the same origin. When a victim opens the attachment, the script executes in the context of the victim’s EspoCRM session, giving the attacker the ability to read cookies, modify page content, or perform any action that the victim’s role permits. The Stored XSS can directly compromise confidentiality, integrity, and availability of the user’s data within the application.

Affected Systems

EspoCRM is affected. All releases with version 9.3.3 or lower are impacted; the issue is resolved starting with version 9.3.4.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate risk, and the lack of an EPSS score suggests no known high exploitation probability at this time. The vulnerability is not listed in CISA KEV. Attackers would need to be authenticated to the system and simulate a normal attachment upload, then entice a separate, unsuspecting user to open the crafted SVG. The same‑origin CSP permits the malicious script to run, making the exploitation path straightforward for an internal attacker with sufficient motivation.

Generated by OpenCVE AI on May 19, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EspoCRM to version 9.3.4 or later.
  • If an upgrade is not immediately possible, disable or reject attachments with the SVG MIME type or content type.
  • Configure the CSP to disallow inline or external scripts originating from SVG files, ensuring that even same‑origin scripts cannot be executed from uploaded images.

Generated by OpenCVE AI on May 19, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Espocrm
Espocrm espocrm
Vendors & Products Espocrm
Espocrm espocrm

Tue, 19 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later serve those SVG files as top-level inline documents through both the attachment and image entry points, resulting in stored cross-user XSS reachable through a normal attachment workflow. Although inline SVG script is blocked by the response CSP, the same CSP still allows same-origin external script. As a result, an attacker can upload a malicious SVG together with a second attacker-controlled JavaScript attachment, then trick another user into opening the SVG to execute JavaScript in the victim's EspoCRM origin. This issue has been fixed in version 9.3.4.
Title EspoCRM: Stored XSS via SVG attachment loading same-origin JavaScript
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L'}

Subscriptions

Espocrm Espocrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T14:02:11.490Z

Reserved: 2026-03-23T17:34:57.561Z

Link: CVE-2026-33741

cve-icon Vulnrichment

Updated: 2026-05-20T14:01:35.065Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T19:16:49.463

Modified: 2026-05-20T14:16:42.190

Link: CVE-2026-33741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T20:00:13Z

Weaknesses