CVE-2026-33741

Name of the Vulnerable Software and Affected Versions EspoCRM versions prior to 9.3.4

Description Authenticated users can upload SVG attachments via standard attachment-capable fields. These files are served as top-level inline documents through attachment and image entry points, leading to stored cross-user Cross-Site Scripting (XSS), which is a flaw allowing scripts to be executed in the browser of another user. While the Content Security Policy (CSP) blocks inline SVG scripts, it permits same-origin external scripts. An attacker can exploit this by uploading a malicious SVG and a separate attacker-controlled JavaScript attachment, then tricking a user into opening the SVG to execute the script within the application origin.

Recommendations Update to version 9.3.4.