EspoCRM Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2025-59428

EspoCRM is an open source customer relationship management application. In versions before 9.1.9 a vulnerability allows arbitrary user creation including administrative accounts through a combination of stored SVG injection and lack of CSRF protection. An attacker with Knowledge Base edit permissions can embed a malicious SVG element containing a link in the body field of an article. When an authenticated user clicks the malicious link they are redirected to an attacker-controlled HTML page that executes a CSRF request against the api/v1/User endpoint. If the victim is prompted for and enters their credentials an attacker-controlled account is created with privileges determined by the CSRF payload. This issue has been patched in version 9.1.9.