EspoCRM Path Traversal: Admin Creds Lead to Arbitrary File Access
The National Vulnerability Database has detailed CVE-2026-33733, a high-severity path traversal vulnerability impacting EspoCRM versions prior to 9.3.4. This flaw allows an authenticated administrator to manipulate name and scope values in template management endpoints. These values are then used in template path construction without proper sanitization, enabling the use of ../ sequences.
Exploiting this, an attacker can escape the intended template directory. This grants them the ability to read, create, overwrite, or delete arbitrary files, specifically body.tpl or subject.tpl, within the web application user’s filesystem permissions. The impact is significant, rated 7.2 CVSS, due to the high confidentiality, integrity, and availability implications once an attacker gains admin-level access.
Defenders running EspoCRM must prioritize patching to version 9.3.4 immediately. While requiring authenticated admin access mitigates some risk, it doesn’t eliminate it. A compromised admin account — whether through phishing, credential stuffing, or insider threat — becomes a critical pivot point for full system compromise. The attacker’s calculus is clear: gain admin, then leverage this path traversal for persistence or further lateral movement.
What This Means For You
- If your organization uses EspoCRM, you need to check your version immediately. Patch to 9.3.4 or later without delay. This isn't theoretical; a compromised admin account can lead to arbitrary file manipulation, which is a gateway to full system takeover. Audit your EspoCRM admin accounts for suspicious activity.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-33733 - EspoCRM Admin Path Traversal File Read/Write
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33733 | Path Traversal | EspoCRM versions prior to 9.3.4 |
| CVE-2026-33733 | Path Traversal | Admin template management endpoints in EspoCRM |
| CVE-2026-33733 | Path Traversal | Attacker-controlled 'name' and 'scope' values used in template path construction |
| CVE-2026-33733 | Arbitrary File Write/Delete | Arbitrary file operations on files resolving to 'body.tpl' or 'subject.tpl' via path traversal |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 23, 2026 at 00:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
WeKan SSRF Vulnerability: Internal Network Exposure Risk
CVE-2026-41455 — WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol...
Wekan API Flaw Grants Board Members Admin Powers
CVE-2026-41454 — WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without...
CVE-2026-41177 — Server-Side Request Forgery
CVE-2026-41177 — Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable...