CVE-2026-33656

Name of the Vulnerable Software and Affected Versions EspoCRM versions prior to 9.3.4

Description The EspoCRM software contains a flaw due to the formula engine operating outside the field-level restriction layer, allowing writable access to fields marked as read-only, such as Attachment.sourceId. This allows modification of the sourceId via a formula, leading to a path traversal issue when the getFilePath() function is used without proper sanitization. An attacker can upload a webshell using chunked upload, poison the .htaccess file, and achieve Remote Code Execution (RCE) as the www-data user. Exploitation requires admin credentials and six requests. The vulnerable component is the formula engine and the getFilePath() function. The sourceId variable is directly concatenated into a file path without sanitization.

Recommendations Update to EspoCRM version 9.3.4 or later.