CVE-2026-33659

Published: Apr 13, 2026 Last Modified: Apr 14, 2026
ExploitDB:
Other exploit source:
Google Dorks:
LOW 3,5
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: low
User Interaction: none
Scope: changed
Confidentiality: low
Integrity: none
Availability: none

Description

AI Translation Available

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual HTTP request resolves hostnames through curl's internal resolver (gethostbyname()), allowing the two lookups to return different IP addresses for the same hostname. A secondary issue exists where an empty DNS result (due to DNS failure, IPv6-only domains, or non-existent hostnames) causes the validation to implicitly allow the host without further checks. An authenticated attacker with default attachment creation access can exploit this gap to bypass internal IP restrictions and scan internal network ports, confirm the existence of internal hosts, and interact with internal HTTP-based services, though data extraction from binary protocol services and remote code execution are not possible through this endpoint. This issue has been fixed in version 9.3.4.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0004
Percentile
0,1th
Updated

EPSS Score Trend (Last 3 Days)

367

Time-of-check Time-of-use (TOCTOU) Race Condition

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Other Non-Repudiation
Potential Impacts:
Alter Execution Logic Unexpected State Modify Application Data Modify Files Or Directories Modify Memory Other Hide Activities
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: Medium
View CWE Details
918

Server-Side Request Forgery (SSRF)

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Access Control
Potential Impacts:
Read Application Data Execute Unauthorized Code Or Commands Bypass Protection Mechanism
Applicable Platforms
Technologies: AI/ML, Web Based, Web Server
View CWE Details
https://github.com/espocrm/espocrm/security/advisories/GHSA…
https://github.com/espocrm/espocrm/security/advisories/GHSA-6m4j-fwrx-crh7
https://github.com/espocrm/espocrm/commit/dca03cc3458e48736…
https://github.com/espocrm/espocrm/commit/dca03cc3458e487362c26c746378a2d4de999…
https://github.com/espocrm/espocrm/releases/tag/9.3.4
https://github.com/espocrm/espocrm/releases/tag/9.3.4
https://github.com/espocrm/espocrm/security/advisories/GHSA…
https://github.com/espocrm/espocrm/security/advisories/GHSA-6m4j-fwrx-crh7