CVE-2026-33656: EspoCRM ≤ 9.3.3 Vulnerability Allows Authenticated RCE

EspoCRM’s formula engine bypasses field-level restrictions, allowing modification of read-only fields like Attachment.sourceId. The sourceId value is unsanitized and used in file paths via getFilePath(), enabling path traversal. An attacker with admin credentials can exploit this to upload a webshell, manipulate .htaccess, and achieve remote code execution (RCE) in six requests. The vulnerability was patched in version 9.3.4.