Formula for Disaster: Chaining EspoCRM's Scripting Engine to Remote Code Execution
jivasecurity.com
EspoCRM v9.3.3: formula engine ACL bypass + unsanitized attachment path = arbitrary file read, arbitrary file write, and RCE as www-data. CVE-2026-33656.
This is an automated archive made by the Lemmit Bot.

The original was posted on /r/netsec by /u/JivaSecurity on 2026-03-25 12:51:52+00:00.

Root cause: EspoCRM’s formula engine operates outside the field-level restriction layer — fields marked readOnly (like Attachment.sourceId) are writable through it. sourceId is concatenated directly into a file path in getFilePath() with no sanitization. Chain: modify sourceId via formula → upload webshell via chunked upload → poison .htaccess → RCE as www-data. Six requests, admin credentials required. Coordinated disclosure — patched in 9.3.4.