CVE-2026-33741 Overview
CVE-2026-33741 is a stored cross-site scripting (XSS) vulnerability in EspoCRM, an open source customer relationship management application. Versions 9.3.3 and below permit authenticated users to upload SVG attachments through standard attachment fields and serve them as top-level inline documents. An attacker can chain a malicious SVG with a same-origin JavaScript attachment to execute code in another user's browser session. The issue is classified under CWE-79 and was fixed in version 9.3.4.
Critical Impact
Authenticated attackers can achieve stored cross-user XSS within the victim's EspoCRM origin, enabling session theft, data exfiltration, and unauthorized actions performed as the victim.
Affected Products
- EspoCRM versions 9.3.3 and earlier
- Fixed in EspoCRM version 9.3.4
- All deployments accepting authenticated user attachment uploads
Discovery Timeline
- 2026-05-19 - CVE-2026-33741 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-33741
Vulnerability Analysis
The vulnerability resides in EspoCRM's attachment handling pipeline. Authenticated users can upload SVG files through attachment-capable fields used in normal application workflows. The application then serves those SVG files as top-level inline documents through both the attachment and image entry points. Because the SVG renders in the same origin as the EspoCRM application, any JavaScript executed within it operates with the victim's session context.
EspoCRM's Content Security Policy (CSP) blocks inline <script> execution within the served SVG. However, the same CSP still permits same-origin external script loading. An attacker exploits this gap by uploading two attachments: a malicious SVG that references an external script tag, and a second attacker-controlled JavaScript file hosted as an attachment on the same origin. When the victim opens the SVG, the browser fetches the companion JavaScript attachment and executes it under the EspoCRM origin.
Root Cause
The root cause is improper handling of user-supplied SVG content combined with a permissive CSP. The application treats uploaded SVG files as renderable inline documents rather than enforcing safe content types or sandboxed delivery. The CSP's allowance of same-origin script sources fails to account for the fact that attackers can write arbitrary JavaScript files into the same origin through the attachment endpoint.
Attack Vector
Exploitation requires an authenticated low-privilege account and one user interaction. The attacker uploads the SVG payload and JavaScript file through the standard attachment workflow, then delivers the SVG link to another user. When the victim opens the link, the browser renders the SVG, loads the same-origin script, and executes attacker code in the victim's authenticated context. See the GitHub Security Advisory GHSA-5wh5-ccv2-m3pv for additional technical details.
Detection Methods for CVE-2026-33741
Indicators of Compromise
- SVG files stored in EspoCRM attachment directories containing <script src="..."> or <use xlink:href="..."> references pointing to other attachment URLs
- JavaScript files (.js) uploaded as attachments by non-administrative users
- HTTP requests to the attachment or image entry points returning Content-Type: image/svg+xml followed by additional same-origin script fetches
Detection Strategies
- Inspect attachment storage for SVG content containing script elements, event handlers (onload, onclick), or external resource references
- Review web server access logs for sequential requests pairing SVG retrieval with .js attachment retrieval from the same session
- Audit attachment uploads grouped by user account to identify users uploading both SVG and JavaScript file types
Monitoring Recommendations
- Alert on uploads of file types with executable browser interpretation, including .svg, .html, and .js, by non-administrative roles
- Monitor EspoCRM audit logs for attachment access patterns where multiple users open the same uploaded SVG within a short window
- Track CSP violation reports from EspoCRM users to identify attempted script execution chains
How to Mitigate CVE-2026-33741
Immediate Actions Required
- Upgrade EspoCRM to version 9.3.4 or later, which contains the official fix
- Audit existing attachments for SVG and JavaScript files uploaded since deployment and quarantine suspicious entries
- Revoke and reissue session tokens for users who may have opened untrusted SVG attachments
Patch Information
The EspoCRM maintainers released the fix in version 9.3.4. The patch addresses the SVG handling and CSP enforcement gaps documented in the GitHub Security Advisory GHSA-5wh5-ccv2-m3pv. Administrators should follow the standard EspoCRM upgrade procedure and verify the application version after deployment.
Workarounds
- Block SVG uploads at the reverse proxy or web application firewall until patching is complete
- Configure the web server to force Content-Disposition: attachment and Content-Type: application/octet-stream on attachment downloads to prevent inline rendering
- Restrict attachment upload permissions to trusted user roles only
- Tighten the deployment CSP to disallow script-src 'self' for the attachment serving path
# Example nginx configuration to force attachment download for SVG files
location ~* \.svg$ {
add_header Content-Disposition "attachment";
add_header X-Content-Type-Options "nosniff";
default_type application/octet-stream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
