espocrm

Top products

The 15 most recently published vulnerabilities affecting espocrm.

• CVE-2026-41141EspoCRM: IDOR in EmailTemplate Prepare Endpoint Leaks Entity Data via Email Address Lookup6.5May 28, 2026
• CVE-2026-41160EspoCRM: Broken Access Control / IDOR in Note Pinning API allows unauthorized modification of notes4.3May 28, 2026
• CVE-2026-33741EspoCRM: Stored XSS via SVG attachment loading same-origin JavaScript6.8May 19, 2026
• CVE-2026-33733EspoCRM has Admin TemplateManager path traversal that allows arbitrary file read write and delete7.2Apr 22, 2026
• CVE-2026-33656EspoCRM vulnerable to authenticated RCE via Formula with path traversal in attachment `sourceId`, exploitable by admin user9.1Apr 22, 2026
• CVE-2026-33740EspoCRM: Email importEml can import and delete another user's attachment by raw fileId5.4Apr 13, 2026
• CVE-2026-33659EspoCRM: SSRF via DNS Rebinding in Attachment fromImageUrl Endpoint Allows Internal Network Access3.5Apr 13, 2026
• CVE-2026-33657EspoCRM: Stored HTML injection in email notifications about stream notes via unescaped post field4.6Apr 13, 2026
• CVE-2026-33534EspoCRM has authenticated SSRF via internal-host validation bypass using alternative IPv4 notation4.3Apr 13, 2026
• CVE-2020-37094EspoCRM 5.8.5 - Privilege Escalation9.8Feb 3, 2026
• CVE-2025-59428EspoCRM allows arbitrary user creation via stored SVG injection and CSRF5.4Oct 14, 2025
• CVE-2025-52892EspoCRM is vulnerable to access denial through double slash in URI corrupting router cache4.5Aug 5, 2025
• CVE-2025-52575EspoCRM vulnerable to LDAP Injection through Improper Neutralization of Special Elements6.5Jul 21, 2025
• CVE-2025-32390EspoCRM vulnerable to HTML Injection into phishing, which may lead to account takeover8.5May 12, 2025
• CVE-2025-32789EspoCRM Allows Potential Disclosure of Sensitive Information in the User Sorting Function3.1Apr 16, 2025