MEDIUM
espocrm
CVE published 2026-05-19
CVE-2026-33741
CVE-2026-33741 affects EspoCRM versions 9.3.3 and below. The issue stems from SVG attachments being uploadable through normal attachment-capable fields and then rendered as top-level inline content through attachment and image entry points. That creates a stored cross-user XSS condition reachable through an ordinary workflow. The response CSP blocks inline SVG script, but the same-origin external script a [truncated]