#VU125919 Server-Side Request Forgery (SSRF) in EspoCRM - CVE-2026-33534
Published: April 14, 2026
Vulnerability identifier: #VU125919
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33534
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
EspoCRM
EspoCRM
Software vendor:
EspoCRM
EspoCRM
Description
The vulnerability allows a remote user to make requests to internal resources and disclose sensitive information.
The vulnerability exists due to server-side request forgery (SSRF) in the /api/v1/Attachment/fromImageUrl endpoint when processing a user-supplied image URL containing an alternative IPv4 representation. A remote user can send a specially crafted request using octal IPv4 notation to make requests to internal resources and disclose sensitive information.
In the confirmed flow, the fetched response is stored as an attachment.
Remediation
Install security update from vendor's website.