EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating at…

CVE-2026-33656 affects EspoCRM versions prior to 9.3.4. The vulnerability exists in the built-in formula scripting engine that allows authenticated administrators to update attachment sourceId fields. Due to lack of input sanitization in EspoUploadDir::getFilePath(), attackers can manipulate the sourceId field to redirect file operations to arbitrary paths within the web server's open_basedir scope. This path traversal vulnerability enables unauthorized file read/write operations. The issue has been fixed in version 9.3.4.