PatchSiren cyber security CVE debrief
CVE-2026-33741 espocrm CVE debrief
CVE-2026-33741 affects EspoCRM versions 9.3.3 and below. The issue stems from SVG attachments being uploadable through normal attachment-capable fields and then rendered as top-level inline content through attachment and image entry points. That creates a stored cross-user XSS condition reachable through an ordinary workflow. The response CSP blocks inline SVG script, but the same-origin external script allowance still leaves room for script execution in the EspoCRM origin when a victim opens the SVG. The advisory says the issue is fixed in version 9.3.4.
- Vendor
- espocrm
- Product
- Unknown
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Administrators and security teams running EspoCRM, especially deployments that allow authenticated users to upload attachments or otherwise handle untrusted files. This also matters for helpdesk, sales, and support workflows where users may open attachments from other users.
Technical summary
The vulnerable behavior is application-level SVG handling. In affected releases, authenticated users can upload SVG files through attachment-capable fields, and those files can later be served inline at attachment/image endpoints rather than being forced to download. Because SVG is an active content type, that inline rendering creates a stored XSS path. The supplied advisory notes that inline script is blocked by CSP, but same-origin external JavaScript remains allowed, so an attacker can combine a malicious SVG with an attacker-controlled JavaScript attachment and rely on a victim opening the SVG in the EspoCRM origin. NVD maps the issue to CWE-79 and lists the vector as CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L.
Defensive priority
Medium-to-high for any environment that permits user-controlled attachments, since exploitation is network-reachable, requires only low privileges, and can impact other users after interaction. Upgrade priority is highest for internet-facing or broadly shared EspoCRM instances.
Recommended defensive actions
- Upgrade EspoCRM to version 9.3.4 or later.
- Review whether SVG uploads are necessary; if not, block SVG attachment uploads at the application or gateway layer.
- Treat user-uploaded SVG as active content and avoid serving it inline when possible.
- Audit attachment and image-serving paths to confirm untrusted files cannot execute in the application origin.
- Review CSP and file-serving headers for attachment endpoints, especially any allowance for same-origin external script.
- Check for suspicious SVG or JavaScript attachments uploaded by authenticated users and review access logs for unusual attachment opens.
- Warn users not to open unexpected attachments, including image-like files, from untrusted or unfamiliar accounts.
Evidence notes
Based on the supplied CVE description and the official NVD record for CVE-2026-33741. The source data lists publishedAt 2026-05-19T19:16:49.463Z and modifiedAt 2026-05-20T14:16:42.190Z. NVD metadata includes CVSS v3.1 vector AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L and CWE-79. The supplied references point to the EspoCRM GitHub security advisory. No KEV entry is present in the provided corpus.
Official resources
-
CVE-2026-33741 CVE record
CVE.org
-
CVE-2026-33741 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Publicly disclosed on 2026-05-19 and updated on 2026-05-20; no KEV listing is included in the supplied data.