#VU125917 Server-Side Request Forgery (SSRF) in EspoCRM - CVE-2026-33659
Published: April 14, 2026
Vulnerability identifier: #VU125917
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33659
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
EspoCRM
EspoCRM
Software vendor:
EspoCRM
EspoCRM
Description
The vulnerability allows a remote user to access internal network services and disclose limited information.
The vulnerability exists due to server-side request forgery in the POST /api/v1/Attachment/fromImageUrl endpoint when fetching a user-supplied image URL. A remote user can supply a hostname that passes validation but resolves differently at connection time to access internal network services and disclose limited information.
User interaction is not required, and exploitation requires attachment creation access.
Remediation
Install security update from vendor's website.