CVE-2025-59428 MEDIUM

CVE-2025-59428: EspoCRM allows arbitrary user creation via stored SVG injection and CSRF

Vendor Espocrm
Product espocrm
Weakness CWE-352 · CSRF
Published October 14, 2025
Last update October 14, 2025
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

EspoCRM is an open source customer relationship management application. In versions before 9.1.9, a vulnerability allows arbitrary user creation, including administrative accounts, through a combination of stored SVG injection and lack of CSRF protection. An attacker with Knowledge Base edit permissions can embed a malicious SVG element containing a link in the body field of an article. When an authenticated user clicks the malicious link, they are redirected to an attacker-controlled HTML page that executes a CSRF request against the api/v1/User endpoint. If the victim is prompted for and enters their credentials, an attacker-controlled account is created with privileges determined by the CSRF payload. This issue has been patched in version 9.1.9.

Key dates

02Disclosure timeline

October 14, 2025 CVE published
October 14, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-56218 WordPress Contact Form 7 - Dynamic Text Extension plugin <= 5.0.1 - Cross Site Request Forgery (CSRF) vulnerability CVE-2023-3052 Page Builder by AZEXO <= 1.27.133 - Cross-Site Request Forgery to Post Creation/Modification/Deletion CVE-2021-47860 GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE CVE-2023-27448 WordPress MakeStories (for Google Web Stories) Plugin <= 2.8.0 is vulnerable to Cross Site Request Forgery (CSRF) CVE-2024-31262 WordPress WooCommerce Checkout Field Editor (Checkout Manager) plugin <= 2.1.8 - Cross Site Request Forgery (CSRF) vulnerability