{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/espocrm/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:espocrm:espocrm:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":4.3,"id":"CVE-2026-33534"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["EspoCRM 9.3.3"],"_cs_severities":["high"],"_cs_tags":["ssrf","webapps","cve-2026-33534"],"_cs_type":"advisory","_cs_vendors":["EspoCRM"],"content_html":"\u003cp\u003eA Server-Side Request Forgery (SSRF) vulnerability has been identified in EspoCRM version 9.3.3, tracked as CVE-2026-33534. An authenticated attacker can exploit this vulnerability to potentially force the server to make requests to unintended locations, including internal services that are normally protected. The public availability of an exploit (EDB-52583) increases the risk of exploitation. The vulnerability exists in the \u003ccode\u003eAttachment/fromImageUrl\u003c/code\u003e endpoint which is used to fetch images from a provided URL. Attackers can manipulate the \u003ccode\u003eurl\u003c/code\u003e parameter to point to internal resources by bypassing URL validation through techniques like IP address encoding.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the EspoCRM application.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious request to the \u003ccode\u003e/api/v1/Attachment/fromImageUrl\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003eurl\u003c/code\u003e parameter containing a manipulated IP address (e.g., octal, hex, or decimal representation) pointing to an internal resource.\u003c/li\u003e\n\u003cli\u003eEspoCRM server, due to insufficient validation, processes the crafted URL.\u003c/li\u003e\n\u003cli\u003eThe server initiates a request to the attacker-specified internal resource.\u003c/li\u003e\n\u003cli\u003eThe server receives a response from the internal resource.\u003c/li\u003e\n\u003cli\u003eThe server may then process or display the received data, potentially leaking sensitive information or enabling further attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-33534) in EspoCRM 9.3.3 could allow an attacker to access sensitive internal resources, such as internal web applications, databases, or configuration files. This can lead to information disclosure, privilege escalation, or further compromise of the EspoCRM system and the underlying network. The exploit\u0026rsquo;s public availability means organizations using unpatched versions of EspoCRM are at heightened risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of EspoCRM that addresses CVE-2026-33534 as outlined in the vendor\u0026rsquo;s advisory (\u003ca href=\"https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73\"\u003ehttps://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003eurl\u003c/code\u003e parameter of the \u003ccode\u003e/api/v1/Attachment/fromImageUrl\u003c/code\u003e endpoint to prevent SSRF attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect EspoCRM SSRF via Encoded Loopback\u003c/code\u003e to identify exploitation attempts targeting CVE-2026-33534.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003e/api/v1/Attachment/fromImageUrl\u003c/code\u003e endpoint containing unusual or encoded IP addresses in the \u003ccode\u003eurl\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T13:11:10Z","date_published":"2026-05-27T13:11:10Z","id":"https://feed.craftedsignal.io/briefs/2026-05-espocrm-ssrf/","summary":"A public exploit is available for EspoCRM 9.3.3, exploiting a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-33534) allowing authenticated attackers to potentially access internal resources.","title":"EspoCRM 9.3.3 SSRF Vulnerability (CVE-2026-33534)","url":"https://feed.craftedsignal.io/briefs/2026-05-espocrm-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — EspoCRM","version":"https://jsonfeed.org/version/1.1"}