CVE-2026-33656 | EspoCRM up to 9.3.3 getFilePath sourceId path traversal

A vulnerability labeled as critical has been found in EspoCRM up to 9.3.3. This vulnerability affects the function EspoUploadDir::getFilePath. Such manipulation of the argument sourceId leads to path traversal.

This vulnerability is traded as CVE-2026-33656. The attack may be launched remotely. There is no exploit available.

The affected component should be upgraded.VulDB Recent EntriesRead More