Security

Report a vulnerability

.github/SECURITY.md

Security Policy

Reporting a vulnerability

If you believe you have discovered a vulnerability in EspoCRM, please contact us via this or this forms. Or create a private vulnerability report on GitHub.

What reports we do not accept:

Executing PHP code by an extension, during extension installation or upgrade process.
Exposing contacts through a target list, campaign or mass email, considering the user has access to them.
SSRF in IMAP/SMTP with TOCTOU.

Supported versions

For severe vulnerabilities we provide fixes for 2 minor versions (the second number in the version string) back from the current stable version.

IDOR in EmailTemplate Prepare Endpoint Leaks Entity Data via Email Address Lookup
GHSA-vvmh-mf4h-96hw published May 8, 2026 by yurikuzn

Moderate
Broken Access Control / IDOR in Note Pinning API allows unauthorized modification of notes
GHSA-c3rm-m24p-255p published May 15, 2026 by yurikuzn

Moderate
Stored SVG attachment can execute same-origin uploaded JavaScript when opened via image or attachment entry points
GHSA-5wh5-ccv2-m3pv published May 8, 2026 by yurikuzn

Moderate
Email importEml can import and delete another user's attachment by raw fileId
GHSA-wr7j-hxf8-hc4w published Apr 13, 2026 by yurikuzn

Moderate
Admin TemplateManager path traversal allows arbitrary file read write and delete
GHSA-44c3-xjfp-3jrh published Apr 22, 2026 by yurikuzn

High
SSRF via DNS Rebinding in Attachment fromImageUrl Endpoint Allows Internal Network Access
GHSA-6m4j-fwrx-crh7 published Apr 13, 2026 by yurikuzn

Low
Stored HTML injection in email notifications about stream notes via Markdown allowing HTML markup
GHSA-8prm-r5j9-j574 published Apr 13, 2026 by yurikuzn

Moderate
Authenticated RCE via Formula with path traversal in attachment `sourceId`, exploitable by admin user
GHSA-7922-x7cf-j54x published Apr 22, 2026 by yurikuzn

Critical
Authenticated SSRF via internal-host validation bypass using alternative IPv4 notation
GHSA-h7gx-8gwv-7g73 published Apr 13, 2026 by yurikuzn

Moderate
Stored SVG <a> Injection Enabling CSRF-Based Arbitrary User Creation
GHSA-c26c-wvhr-fr6r published Oct 14, 2025 by yurikuzn

Moderate

Learn more about advisories related to espocrm/espocrm in the GitHub Advisory Database