CVE-2026-33657

Name of the Vulnerable Software and Affected Versions EspoCRM versions prior to 9.3.4

Description A stored HTML injection allows authenticated users with standard privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes. The issue occurs because server-side Handlebars templates (a tool for generating dynamic HTML) render the post field using unescaped triple-brace syntax, the Markdown processor preserves inline HTML, and the rendering pipeline skips sanitization for fields in additionalData. This allows attacker-controlled HTML to be stored and rendered in emails sent via the system SMTP identity, making the content appear trusted. This can enable phishing, user tracking via image beacons, and UI manipulation. The @mention feature allows for targeted delivery to specific users.

Recommendations Update to version 9.3.4. As a temporary workaround, restrict the use of the post field in stream activity notes.