EspoCRM Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Vulnerability - CVE-2026-33656

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4 EspoCRM39s built-in formula scripting engine allowing updating attachment39s sourceId thus allowing an authenticated admin to overwrite the sourceId field on Attachment entities. Because sourceId is concatenated directly into a file path with no sanitization in EspoUploadDir::getFilePath() an attacker can redirect any file read or write operation to an arbitrary path within the web server39s open_basedir scope. Version 9.3.4 fixes the issue.