Known Vulnerabilities for products from EspoCRM
Listed below are 20 of the newest known vulnerabilities associated with the vendor "EspoCRM".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-41160 json | Not Provided | 2026-05-28 | 2026-05-28 | |
| CVE-2026-41141 json | Not Provided | 2026-05-28 | 2026-05-28 | |
| CVE-2026-33741 json | Not Provided | 2026-05-19 | 2026-05-19 | |
| CVE-2026-33740 json | EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/i... | Not Provided | 2026-04-13 | 2026-04-22 |
| CVE-2026-33733 json | EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management... | Not Provided | 2026-04-22 | 2026-04-27 |
| CVE-2026-33659 json | EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachm... | Not Provided | 2026-04-13 | 2026-04-22 |
| CVE-2026-33657 json | EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection... | Not Provided | 2026-04-13 | 2026-04-22 |
| CVE-2026-33656 json | Not Provided | 2026-04-22 | 2026-04-23 | |
| CVE-2026-33534 json | Not Provided | 2026-04-13 | 2026-04-14 | |
| CVE-2023-5966 json | An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the ext... | Not Provided | 2023-11-30 | 2026-04-20 |
| CVE-2023-5965 json | An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the upd... | Not Provided | 2023-11-30 | 2026-04-20 |
| CVE-2022-38846 json | EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure c... | 5.9 - MEDIUM | 2022-09-16 | 2022-09-17 |
| CVE-2022-38845 json | Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser v... | 6.1 - MEDIUM | 2022-09-16 | 2023-08-08 |
| CVE-2022-38844 json | CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating conta... | 8 - HIGH | 2022-09-16 | 2022-09-17 |
| CVE-2022-38843 json | EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any extensio... | 8.8 - HIGH | 2022-09-16 | 2022-09-17 |
| CVE-2021-3539 json | EspoCRM 6.1.6 and prior suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-suppl... | 5.4 - MEDIUM | 2021-08-04 | 2021-08-11 |
| CVE-2019-14550 json | An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a victim clicks on the Edit Dashboard feature p... | 5.4 - MEDIUM | 2019-08-05 | 2019-08-09 |
| CVE-2019-14549 json | An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed inside the title and breadcrumb of a newly formed en... | 5.4 - MEDIUM | 2019-08-05 | 2019-08-09 |
| CVE-2019-14548 json | An issue was discovered in EspoCRM before 5.6.9. Stored XSS in the body of an Article was executed when a victim opens articl... | 5.4 - MEDIUM | 2019-08-05 | 2019-08-09 |
| CVE-2019-14547 json | An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a attacker sends an attachment to admin with ma... | 5.4 - MEDIUM | 2019-08-05 | 2019-08-09 |
Known software with vulnerabilities from EspoCRM
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Espocrm | Espocrm | 1.0.0 |