CVE & CISA-KEV Catalog

CVE-2026-33657

MEDIUM
4.6
CVSS v3
NVD

Description

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes. The vulnerability exists because server-side Handlebars templates render the post field using unescaped triple-brace syntax, the Markdown processor preserves inline HTML by default, and the rendering pipeline explicitly skips sanitization for fields present in additionalData, creating a path where attacker-controlled HTML is accepted, stored, and rendered directly into emails without any escaping. Since the emails are sent using the system's configured SMTP identity (such as an administrative sender address), the injected content appears fully trusted to recipients, enabling phishing attacks, user tracking via embedded resources like image beacons, and UI manipulation within email content. The @mention feature further increases the impact by allowing targeted delivery of malicious emails to specific users. This issue has been fixed in version 9.3.4.

How to fix

Remediation Available
espocrmNVD
Affected:< 9.3.4Fixed in:9.3.4CVE-2026-33657derived from NVD

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionRequired
ScopeUnchanged

Impact

ConfidentialityLow
IntegrityLow
AvailabilityNone

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Exploit Intelligence

0.18%probability of exploitation in 30 days
7thpercentile

Low risk: more likely to be exploited than 7% of all known CVEs.

References

Exploit1
Release Notes1
Embed a live status badge for CVE-2026-33657
CVE-2026-33657 severity badge

Markdown

[![CVE-2026-33657](https://tridentstack.com/cve/badge/CVE-2026-33657.svg)](https://tridentstack.com/cve/CVE-2026-33657)

HTML

<a href="https://tridentstack.com/cve/CVE-2026-33657"><img src="https://tridentstack.com/cve/badge/CVE-2026-33657.svg" alt="CVE-2026-33657"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-04-22.