CVE-2026-33657
Stored HTML Injection in EspoCRM Emails Enables Phishing Attacks
Publication date: 2026-04-13
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| espocrm | espocrm | to 9.3.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users to inject arbitrary HTML into system-generated emails, which can be used for phishing attacks, user tracking via embedded resources, and UI manipulation within email content.
Such activities could lead to unauthorized disclosure of personal data or misuse of user information, potentially impacting compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal data and preventing phishing or tracking attacks.
However, the provided information does not explicitly discuss the direct impact on compliance with these standards.
Can you explain this vulnerability to me?
CVE-2026-33657 is a stored HTML injection vulnerability in EspoCRM versions 9.3.3 and below. It allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes.
The vulnerability exists because the server-side Handlebars templates render the post field using unescaped triple-brace syntax, which outputs raw HTML without escaping. Additionally, the Markdown processor preserves inline HTML by default, and the rendering pipeline explicitly skips sanitization for fields present in additionalData, allowing attacker-controlled HTML to be accepted, stored, and rendered directly into emails without any escaping.
Since the emails are sent using the system's configured SMTP identity (such as an administrative sender address), the injected content appears fully trusted to recipients. The @mention feature further increases the impact by allowing targeted delivery of malicious emails to specific users.
How can this vulnerability impact me? :
This vulnerability can impact you by enabling phishing attacks that appear to come from a trusted system email address, increasing the likelihood that recipients will trust and interact with malicious content.
It allows injection of attacker-controlled links and HTML content into email notifications, which can be used for user tracking via embedded resources like image beacons.
The vulnerability also permits UI manipulation within email content, potentially misleading users or tricking them into performing unintended actions.
No elevated privileges are required to exploit this issue, as any authenticated user with standard privileges can perform the attack.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious HTML content in the post field of stream activity notes within EspoCRM versions 9.3.3 and below. Since the vulnerability involves stored HTML injection that results in unescaped HTML in system-generated email notifications, monitoring outgoing emails for suspicious HTML tags such as <img> tags used for tracking or styled <div> elements with phishing links can help identify exploitation.
To detect exploitation attempts, you can search the database or API logs for notes containing suspicious HTML content in the post field.
Suggested commands include:
- Query the database for notes with HTML tags in the post field, for example using SQL: SELECT * FROM stream_activity_notes WHERE post LIKE '%<img%' OR post LIKE '%<div%';
- Monitor outgoing SMTP traffic for emails containing unexpected HTML content or tracking pixels using tools like tcpdump or Wireshark: tcpdump -i any port 25 or 587 -A | grep -i '<img'
- Use EspoCRM API to list recent notes and inspect the post field for unescaped HTML content.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade EspoCRM to version 9.3.4 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, consider the following temporary mitigations:
- Restrict or monitor user permissions to limit who can create or edit stream activity notes.
- Implement email filtering rules to detect and block emails containing suspicious HTML content or tracking elements.
- Disable or restrict the use of the @mention feature to reduce targeted phishing risks.
- Review and sanitize existing notes in the database to remove malicious HTML content.