CVE-2025-59428

Name of the Vulnerable Software and Affected Versions EspoCRM versions prior to 9.1.9

Description EspoCRM is a customer relationship management application. A flaw allows the creation of arbitrary user accounts, including those with administrative privileges. This is achieved through a combination of stored SVG injection and insufficient CSRF protection. An attacker with Knowledge Base edit permissions can embed a malicious SVG element within the body field of a Knowledge Base article. When an authenticated user clicks this malicious link, they are redirected to an attacker-controlled HTML page that initiates a Cross-Site Request Forgery (CSRF) request targeting the /api/v1/User endpoint. If the victim provides their credentials, an attacker-controlled account is created, with the account's privileges determined by the CSRF payload. The vulnerable parameter is the body field within a Knowledge Base article.

Recommendations Update EspoCRM to version 9.1.9 or later.