Entrovyx

#26572of 53,638
9.7Total CVSS
Vulnerabilities · 2
Medium
2
PT-2026-32508
4.3
2026-04-13
Espocrm · Espocrm · CVE-2026-33534
Name of the Vulnerable Software and Affected Versions EspoCRM versions prior to 9.3.4 Description An authenticated Server-Side Request Forgery (SSRF) allows bypassing internal-host validation by using alternative IPv4 representations, such as octal notation. This occurs because the `HostCheck::isNotInternalHost()` function relies on `filter var(..., FILTER VALIDATE IP)`, which does not recognize alternative IP formats. This causes the validation to fall through to a DNS lookup that returns no records, incorrectly treating the host as safe. Subsequently, cURL normalizes the address and connects to the loopback destination. Through the '/api/v1/Attachment/fromImageUrl' endpoint, an authenticated user can force the server to make requests to loopback-only services and store the response as an attachment, potentially allowing access to internal resources. Recommendations Update to version 9.3.4. As a temporary workaround, restrict access to the '/api/v1/Attachment/fromImageUrl' endpoint to minimize the risk of exploitation.
PT-2026-32509
5.4
2026-04-13
Espocrm · Espocrm · CVE-2026-33657
Name of the Vulnerable Software and Affected Versions EspoCRM versions prior to 9.3.4 Description A stored HTML injection allows authenticated users with standard privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the `post` field of stream activity notes. The issue occurs because server-side Handlebars templates (a tool for generating dynamic HTML) render the `post` field using unescaped triple-brace syntax, the Markdown processor preserves inline HTML, and the rendering pipeline skips sanitization for fields in `additionalData`. This allows attacker-controlled HTML to be stored and rendered in emails sent via the system SMTP identity, making the content appear trusted. This can enable phishing, user tracking via image beacons, and UI manipulation. The `@mention` feature allows for targeted delivery to specific users. Recommendations Update to version 9.3.4. As a temporary workaround, restrict the use of the `post` field in stream activity notes.