threat
engine
.sh
Back
·
··:··
Home
/
Product
/
espocrm
Product
espocrm
40 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-33733
< 9.3.4
EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endp
7.2
HIGH
CVE-2026-33656
< 9.3.4
EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripti
9.1
CRITICAL
CVE-2026-33740
< 9.3.4
EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/import
5.4
MEDIUM
CVE-2026-33659
< 9.3.4
EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/f
3.5
LOW
CVE-2026-33657
< 9.3.4
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vuln
4.6
MEDIUM
CVE-2026-33534
< 9.3.4
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side
4.3
MEDIUM
CVE-2020-37094
<= 5.8.5
EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authori
9.8
CRITICAL
CVE-2025-59428
< 9.1.9
EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary
5.4
MEDIUM
CVE-2025-52892
< 9.1.7
EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versi
4.5
MEDIUM
CVE-2025-52575
< 9.1.7
EspoCRM is an Open Source CRM (Customer Relationship Management) software. EspoCRM versions 9.1.6 and earlier are vulnerable to bl
6.5
MEDIUM
CVE-2025-32390
< 9.0.8
EspoCRM is a free, open-source customer relationship management platform. Prior to version 9.0.8, HTML Injection in Knowledge Base
8.5
HIGH
CVE-2025-32789
< 9.0.7
EspoCRM is an Open Source Customer Relationship Management software. Prior to version 9.0.7, users can be sorted by their password
3.1
LOW
CVE-2025-32385
< 9.0.5
EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes
5.3
MEDIUM
CVE-2024-24818
< 8.1.2
EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Ch
5.9
MEDIUM
CVE-2023-46736
<= 8.0.2
EspoCRM is an Open Source CRM (Customer Relationship Management) software. In affected versions there is Server-Side Request Forge
5.3
MEDIUM
CVE-2023-5966
<= 7.5.2
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extensio
4.7
MEDIUM
CVE-2023-5965
<= 7.5.2
An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update f
4.7
MEDIUM
CVE-2022-38846
all versions
EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channe
5.9
MEDIUM
CVE-2022-38845
all versions
Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via se
6.1
MEDIUM
CVE-2022-38844
all versions
CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts w
8.0
HIGH
CVE-2022-38843
all versions
EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any extension to
8.8
HIGH
CVE-2021-3539
<= 6.1.6
EspoCRM 6.1.6 and prior suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied a
6.3
MEDIUM
CVE-2019-14550
< 5.6.9
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a victim clicks on the Edit Dashboard feature presen
5.4
MEDIUM
CVE-2019-14549
< 5.6.9
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed inside the title and breadcrumb of a newly formed entity
5.4
MEDIUM
CVE-2019-14548
< 5.6.9
An issue was discovered in EspoCRM before 5.6.9. Stored XSS in the body of an Article was executed when a victim opens articles re
5.4
MEDIUM
CVE-2019-14547
< 5.6.9
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed when a attacker sends an attachment to admin with malicio
5.4
MEDIUM
CVE-2019-14546
< 5.6.9
An issue was discovered in EspoCRM before 5.6.9. Stored XSS was executed on the Preference page as well as while sending an email
5.4
MEDIUM
CVE-2019-14351
all versions
EspoCRM 5.6.4 is vulnerable to user password hash enumeration. A malicious authenticated attacker can brute-force a user password
8.8
HIGH
CVE-2019-14350
all versions
EspoCRM 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the Knowledge base. A malicious attac
6.1
MEDIUM
CVE-2019-14349
all versions
EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of filtration of user-supplied data in the api/v1/Document functiona
6.1
MEDIUM
CVE-2019-14331
< 5.6.6
An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create User.
6.1
MEDIUM
CVE-2019-14330
< 5.6.6
An issue was discovered in EspoCRM before 5.6.6. Stored XSS exists due to lack of filtration of user-supplied data in Create Case.
6.1
MEDIUM
CVE-2019-14329
< 5.6.6
An issue was discovered in EspoCRM before 5.6.6. There is stored XSS due to lack of filtration of user-supplied data in Create Tas
6.1
MEDIUM
CVE-2019-13643
< 5.6.4
Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into t
6.1
MEDIUM
CVE-2018-17302
all versions
Stored XSS exists in views/fields/wysiwyg.js in EspoCRM 5.3.6 via a /#Email/view saved draft message.
5.4
MEDIUM
CVE-2018-17301
all versions
Reflected XSS exists in client/res/templates/global-search/name-field.tpl in EspoCRM 5.3.6 via /#Account in the search panel.
5.4
MEDIUM
CVE-2014-7987
<= 2.5.2
Cross-site scripting (XSS) vulnerability in EspoCRM before 2.6.0 allows remote attackers to inject arbitrary web script or HTML vi
CVE-2014-7986
<= 2.5.2
install/index.php in EspoCRM before 2.6.0 allows remote attackers to re-install the application via a 1 value in the installProces
CVE-2014-7985
<= 2.5.2
Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary local files via
CVE-2014-8330
all versions
Cross-site scripting (XSS) vulnerability in EspoCRM allows remote authenticated users to inject arbitrary web script or HTML via t
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin