PatchSiren

EspoCRM CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM espocrm CVE published 2026-05-28

CVE-2026-41160

A broken access control vulnerability in EspoCRM 9.3.3 allows low-privileged users to persistently modify note pinning status without proper authorization. The flaw exists in the POST /api/v1/Note/{id}/pin endpoint where the server processes the write operation before validating permissions, resulting in a 'write first, authorize later' execution pattern. While the API returns a 403 Forbidden response, th [truncated]

MEDIUM espocrm CVE published 2026-05-28

CVE-2026-41141

EspoCRM versions prior to 9.3.5 contain an authorization bypass vulnerability in the email template preparation endpoint. The POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter to resolve the owning entity (Contact, Lead, Account, or User) without performing an access control list (ACL) check. An authenticated attacker with EmailTemplate read permission can extract all field [truncated]

MEDIUM espocrm CVE published 2026-05-19

CVE-2026-33741

CVE-2026-33741 affects EspoCRM versions 9.3.3 and below. The issue stems from SVG attachments being uploadable through normal attachment-capable fields and then rendered as top-level inline content through attachment and image entry points. That creates a stored cross-user XSS condition reachable through an ordinary workflow. The response CSP blocks inline SVG script, but the same-origin external script a [truncated]

HIGH EspoCRM CVE published 2026-02-03

CVE-2020-37094

CVE-2020-37094 details an authentication token reuse vulnerability in EspoCRM 5.7.0 prior to 5.9.0. This vulnerability allows authenticated attackers to bypass two-factor authentication by exploiting token-to-password-hash mapping. Attackers can obtain an authentication token for a controlled account and replay it against any victim account sharing the same password, bypassing the victim's 2FA protections [truncated]