CVE-2023-5965 MEDIUM

CVE-2023-5965: Unrestricted Upload of File with Dangerous Type in EspoCRM

Vendor Espocrm
Product EspoCRM
Weakness CWE-434 · Unrestricted file upload
Published November 30, 2023
Last update April 20, 2026

CVSS base score

4.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the update form, which could lead to arbitrary PHP code execution.

Key dates

02Disclosure timeline

November 30, 2023 CVE published
April 20, 2026 Record updated