CVE-2026-33534 | EspoCRM up to 9.3.3 fromImageUrl isNotInternalHost server-side request forgery

Inserito da Angelo Barbosa | Apr 13, 2026 | CVE

A vulnerability, which was classified as critical, has been found in EspoCRM up to 9.3.3. This affects the function HostCheck::isNotInternalHost of the file /api/v1/Attachment/fromImageUrl. This manipulation causes server-side request forgery.

This vulnerability is handled as CVE-2026-33534. The attack can be initiated remotely. There is not any exploit available.

It is advisable to upgrade the affected component.

CVE-2026-33534 | EspoCRM up to 9.3.3 fromImageUrl isNotInternalHost server-side request forgery

Post correlati

CVE-2024-10711 | WooCommerce Report Plugin up to 1.5.1 on WordPress Options Update cross-site request forgery

CVE-2024-0430 | IObit Malware Fighter 11.0.0.1274 ImfHpRegFilter.sys resource consumption

CVE-2024-39130 | DumpTS 0.1.0-nightly /src/DumpStream.cpp DumpOneStream null pointer dereference (Issue 20)

CVE-2024-20326 | Cisco ConfD CLI default permission (cisco-sa-cnfd-rwpesc-ZAOufyx8)