CVE-2026-33659

Name of the Vulnerable Software and Affected Versions EspoCRM versions prior to 9.3.4

Description The '/api/v1/Attachment/fromImageUrl' endpoint is susceptible to Server-Side Request Forgery (SSRF) through a DNS rebinding (Time-of-Check to Time-of-Use) condition. This occurs because host validation utilizes the dns get record() function, while the subsequent HTTP request uses curl's internal resolver (gethostbyname()), potentially resulting in different IP addresses for the same hostname. Additionally, empty DNS results caused by failures, IPv6-only domains, or non-existent hostnames may allow hosts to bypass validation. An authenticated attacker with default attachment creation access can use this to bypass internal IP restrictions, scan internal network ports, identify internal hosts, and interact with internal HTTP-based services.

Recommendations Update to version 9.3.4.