Search

Find a vulnerability

Search criteria

    12 vulnerabilities found for SuiteCRM-Core by SuiteCRM

    CVE-2026-32697 (GCVE-0-2026-32697)

    Vulnerability from nvd – Published: 2026-03-19 23:13 – Updated: 2026-03-20 20:04
    VLAI
    Title
    SuiteCRM: RecordHandler::getRecord() missing ACLAccess('view') check allows any authenticated user to read any record (IDOR)
    Summary
    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion `saveRecord()` method correctly checks `$bean->ACLAccess('save')`, but `getRecord()` skips the equivalent `ACLAccess('view')` check. Version 8.9.3 patches the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    SuiteCRM SuiteCRM-Core Affected: < 8.9.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32697",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-20T20:04:08.531655Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-20T20:04:17.239Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SuiteCRM-Core",
              "vendor": "SuiteCRM",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.9.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user\u0027s ACL view permission. The companion `saveRecord()` method correctly checks `$bean-\u003eACLAccess(\u0027save\u0027)`, but `getRecord()` skips the equivalent `ACLAccess(\u0027view\u0027)` check. Version 8.9.3 patches the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-19T23:13:08.280Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-9p9g-224x-6rmm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-9p9g-224x-6rmm"
            }
          ],
          "source": {
            "advisory": "GHSA-9p9g-224x-6rmm",
            "discovery": "UNKNOWN"
          },
          "title": "SuiteCRM: RecordHandler::getRecord() missing ACLAccess(\u0027view\u0027) check allows any authenticated user to read any record (IDOR)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-32697",
        "datePublished": "2026-03-19T23:13:08.280Z",
        "dateReserved": "2026-03-13T14:33:42.822Z",
        "dateUpdated": "2026-03-20T20:04:17.239Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-29109 (GCVE-0-2026-29109)

    Vulnerability from nvd – Published: 2026-03-19 23:12 – Updated: 2026-03-20 18:09
    VLAI
    Title
    SuiteCRM Authenticated Remote Code Execution via Unsafe Deserialization in SavedSearch Filter Processing
    Summary
    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the server. `FilterDefinitionProvider.php` calls `unserialize()` on user-controlled data from the `saved_search.contents` database column without restricting instantiable classes. Version 8.9.3 patches the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    SuiteCRM SuiteCRM-Core Affected: < 8.9.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-29109",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-20T16:57:08.061767Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-20T18:09:12.156Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SuiteCRM-Core",
              "vendor": "SuiteCRM",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.9.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the server. `FilterDefinitionProvider.php` calls `unserialize()` on user-controlled data from the `saved_search.contents` database column without restricting instantiable classes. Version 8.9.3 patches the issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-19T23:12:11.526Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-mhq2-277m-6w24",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-mhq2-277m-6w24"
            }
          ],
          "source": {
            "advisory": "GHSA-mhq2-277m-6w24",
            "discovery": "UNKNOWN"
          },
          "title": "SuiteCRM Authenticated Remote Code Execution via Unsafe Deserialization in SavedSearch Filter Processing"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-29109",
        "datePublished": "2026-03-19T23:12:11.526Z",
        "dateReserved": "2026-03-03T21:54:06.709Z",
        "dateUpdated": "2026-03-20T18:09:12.156Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-29108 (GCVE-0-2026-29108)

    Vulnerability from nvd – Published: 2026-03-19 23:10 – Updated: 2026-03-21 03:06
    VLAI
    Title
    Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User
    Summary
    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    SuiteCRM SuiteCRM-Core Affected: < 8.9.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-29108",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-21T03:06:37.852701Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-21T03:06:59.568Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SuiteCRM-Core",
              "vendor": "SuiteCRM",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.9.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it\u0027s possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-19T23:10:59.651Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5"
            }
          ],
          "source": {
            "advisory": "GHSA-xc8w-xc9v-45w5",
            "discovery": "UNKNOWN"
          },
          "title": "Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-29108",
        "datePublished": "2026-03-19T23:10:59.651Z",
        "dateReserved": "2026-03-03T21:54:06.709Z",
        "dateUpdated": "2026-03-21T03:06:59.568Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64493 (GCVE-0-2025-64493)

    Vulnerability from nvd – Published: 2025-11-08 01:16 – Updated: 2025-11-10 16:39
    VLAI
    Title
    SuiteCRM is Vulnerable to Authenticated Blind SQL Injection via GraphQL
    Summary
    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0, there is an authenticated, blind (time-based) SQL-injection inside the appMetadata-operation of the GraphQL-API. This allows extraction of arbitrary data from the database, and does not require administrative access. This issue is fixed in version 8.9.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    SuiteCRM SuiteCRM-Core Affected: >= 8.6.0, < 8.9.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64493",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-10T16:39:04.848713Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-10T16:39:27.970Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SuiteCRM-Core",
              "vendor": "SuiteCRM",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 8.6.0, \u003c 8.9.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0, there is an authenticated, blind (time-based) SQL-injection inside the appMetadata-operation of the GraphQL-API. This allows extraction of arbitrary data from the database, and does not require administrative access. This issue is fixed in version 8.9.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-08T01:16:22.833Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-5gcj-mfqq-v8f7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-5gcj-mfqq-v8f7"
            },
            {
              "name": "https://docs.suitecrm.com/community/security-policy",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://docs.suitecrm.com/community/security-policy"
            }
          ],
          "source": {
            "advisory": "GHSA-5gcj-mfqq-v8f7",
            "discovery": "UNKNOWN"
          },
          "title": "SuiteCRM is Vulnerable to Authenticated Blind SQL Injection via GraphQL"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-64493",
        "datePublished": "2025-11-08T01:16:22.833Z",
        "dateReserved": "2025-11-05T19:12:25.103Z",
        "dateUpdated": "2025-11-10T16:39:27.970Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64492 (GCVE-0-2025-64492)

    Vulnerability from nvd – Published: 2025-11-08 01:07 – Updated: 2025-11-10 15:14
    VLAI
    Title
    SuiteCRM is Vulnerable to Authenticated Time Based Blind SQL Injection
    Summary
    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by measuring response times, potentially leading to the extraction of sensitive information. It is possible for an attacker to enumerate database, table, and column names, extract sensitive data, or escalate privileges. This is fixed in version 8.9.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    SuiteCRM SuiteCRM-Core Affected: < 8.9.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64492",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-10T15:13:52.410592Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-10T15:14:20.621Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SuiteCRM-Core",
              "vendor": "SuiteCRM",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.9.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by measuring response times, potentially leading to the extraction of sensitive information. It is possible for an attacker to enumerate database, table, and column names, extract sensitive data, or escalate privileges. This is fixed in version 8.9.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-08T01:07:23.393Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-54m4-4p54-j8hp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-54m4-4p54-j8hp"
            }
          ],
          "source": {
            "advisory": "GHSA-54m4-4p54-j8hp",
            "discovery": "UNKNOWN"
          },
          "title": "SuiteCRM is Vulnerable to Authenticated Time Based Blind SQL Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-64492",
        "datePublished": "2025-11-08T01:07:23.393Z",
        "dateReserved": "2025-11-05T19:12:25.103Z",
        "dateUpdated": "2025-11-10T15:14:20.621Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-54786 (GCVE-0-2025-54786)

    Vulnerability from nvd – Published: 2025-08-06 23:23 – Updated: 2025-08-07 14:47
    VLAI
    Title
    SuiteCRM: Legacy iCal service allows unauthenticated access to meeting data
    Summary
    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's meeting (calendar event) data given their username, related functionality allows user enumeration. This is fixed in versions 7.14.7 and 8.8.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-284 - Improper Access Control
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    SuiteCRM SuiteCRM-Core Affected: >= 8.8.0, < 8.8.1
    Affected: >= 7.14.6, < 7.14.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54786",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-07T14:47:43.183066Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-07T14:47:54.710Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SuiteCRM-Core",
              "vendor": "SuiteCRM",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 8.8.0, \u003c 8.8.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.14.6, \u003c 7.14.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user\u0027s meeting (calendar event) data given their username, related functionality allows user enumeration. This is fixed in versions 7.14.7 and 8.8.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-06T23:23:00.948Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-rf2v-4mv3-qcgm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-rf2v-4mv3-qcgm"
            },
            {
              "name": "https://docs.suitecrm.com/8.x/admin/releases/8.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://docs.suitecrm.com/8.x/admin/releases/8.8"
            }
          ],
          "source": {
            "advisory": "GHSA-rf2v-4mv3-qcgm",
            "discovery": "UNKNOWN"
          },
          "title": "SuiteCRM: Legacy iCal service allows unauthenticated access to meeting data"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-54786",
        "datePublished": "2025-08-06T23:23:00.948Z",
        "dateReserved": "2025-07-29T16:50:28.392Z",
        "dateUpdated": "2025-08-07T14:47:54.710Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-32697 (GCVE-0-2026-32697)

    Vulnerability from cvelistv5 – Published: 2026-03-19 23:13 – Updated: 2026-03-20 20:04
    VLAI
    Title
    SuiteCRM: RecordHandler::getRecord() missing ACLAccess('view') check allows any authenticated user to read any record (IDOR)
    Summary
    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion `saveRecord()` method correctly checks `$bean->ACLAccess('save')`, but `getRecord()` skips the equivalent `ACLAccess('view')` check. Version 8.9.3 patches the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    SuiteCRM SuiteCRM-Core Affected: < 8.9.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-32697",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-20T20:04:08.531655Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-20T20:04:17.239Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SuiteCRM-Core",
              "vendor": "SuiteCRM",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.9.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user\u0027s ACL view permission. The companion `saveRecord()` method correctly checks `$bean-\u003eACLAccess(\u0027save\u0027)`, but `getRecord()` skips the equivalent `ACLAccess(\u0027view\u0027)` check. Version 8.9.3 patches the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-19T23:13:08.280Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-9p9g-224x-6rmm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-9p9g-224x-6rmm"
            }
          ],
          "source": {
            "advisory": "GHSA-9p9g-224x-6rmm",
            "discovery": "UNKNOWN"
          },
          "title": "SuiteCRM: RecordHandler::getRecord() missing ACLAccess(\u0027view\u0027) check allows any authenticated user to read any record (IDOR)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-32697",
        "datePublished": "2026-03-19T23:13:08.280Z",
        "dateReserved": "2026-03-13T14:33:42.822Z",
        "dateUpdated": "2026-03-20T20:04:17.239Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-29109 (GCVE-0-2026-29109)

    Vulnerability from cvelistv5 – Published: 2026-03-19 23:12 – Updated: 2026-03-20 18:09
    VLAI
    Title
    SuiteCRM Authenticated Remote Code Execution via Unsafe Deserialization in SavedSearch Filter Processing
    Summary
    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the server. `FilterDefinitionProvider.php` calls `unserialize()` on user-controlled data from the `saved_search.contents` database column without restricting instantiable classes. Version 8.9.3 patches the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    SuiteCRM SuiteCRM-Core Affected: < 8.9.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-29109",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-20T16:57:08.061767Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-20T18:09:12.156Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SuiteCRM-Core",
              "vendor": "SuiteCRM",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.9.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the server. `FilterDefinitionProvider.php` calls `unserialize()` on user-controlled data from the `saved_search.contents` database column without restricting instantiable classes. Version 8.9.3 patches the issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-19T23:12:11.526Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-mhq2-277m-6w24",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-mhq2-277m-6w24"
            }
          ],
          "source": {
            "advisory": "GHSA-mhq2-277m-6w24",
            "discovery": "UNKNOWN"
          },
          "title": "SuiteCRM Authenticated Remote Code Execution via Unsafe Deserialization in SavedSearch Filter Processing"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-29109",
        "datePublished": "2026-03-19T23:12:11.526Z",
        "dateReserved": "2026-03-03T21:54:06.709Z",
        "dateUpdated": "2026-03-20T18:09:12.156Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-29108 (GCVE-0-2026-29108)

    Vulnerability from cvelistv5 – Published: 2026-03-19 23:10 – Updated: 2026-03-21 03:06
    VLAI
    Title
    Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User
    Summary
    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    SuiteCRM SuiteCRM-Core Affected: < 8.9.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-29108",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-21T03:06:37.852701Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-21T03:06:59.568Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SuiteCRM-Core",
              "vendor": "SuiteCRM",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.9.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it\u0027s possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-19T23:10:59.651Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5"
            }
          ],
          "source": {
            "advisory": "GHSA-xc8w-xc9v-45w5",
            "discovery": "UNKNOWN"
          },
          "title": "Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-29108",
        "datePublished": "2026-03-19T23:10:59.651Z",
        "dateReserved": "2026-03-03T21:54:06.709Z",
        "dateUpdated": "2026-03-21T03:06:59.568Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64493 (GCVE-0-2025-64493)

    Vulnerability from cvelistv5 – Published: 2025-11-08 01:16 – Updated: 2025-11-10 16:39
    VLAI
    Title
    SuiteCRM is Vulnerable to Authenticated Blind SQL Injection via GraphQL
    Summary
    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0, there is an authenticated, blind (time-based) SQL-injection inside the appMetadata-operation of the GraphQL-API. This allows extraction of arbitrary data from the database, and does not require administrative access. This issue is fixed in version 8.9.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    SuiteCRM SuiteCRM-Core Affected: >= 8.6.0, < 8.9.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64493",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-10T16:39:04.848713Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-10T16:39:27.970Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SuiteCRM-Core",
              "vendor": "SuiteCRM",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 8.6.0, \u003c 8.9.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0, there is an authenticated, blind (time-based) SQL-injection inside the appMetadata-operation of the GraphQL-API. This allows extraction of arbitrary data from the database, and does not require administrative access. This issue is fixed in version 8.9.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-08T01:16:22.833Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-5gcj-mfqq-v8f7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-5gcj-mfqq-v8f7"
            },
            {
              "name": "https://docs.suitecrm.com/community/security-policy",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://docs.suitecrm.com/community/security-policy"
            }
          ],
          "source": {
            "advisory": "GHSA-5gcj-mfqq-v8f7",
            "discovery": "UNKNOWN"
          },
          "title": "SuiteCRM is Vulnerable to Authenticated Blind SQL Injection via GraphQL"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-64493",
        "datePublished": "2025-11-08T01:16:22.833Z",
        "dateReserved": "2025-11-05T19:12:25.103Z",
        "dateUpdated": "2025-11-10T16:39:27.970Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64492 (GCVE-0-2025-64492)

    Vulnerability from cvelistv5 – Published: 2025-11-08 01:07 – Updated: 2025-11-10 15:14
    VLAI
    Title
    SuiteCRM is Vulnerable to Authenticated Time Based Blind SQL Injection
    Summary
    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by measuring response times, potentially leading to the extraction of sensitive information. It is possible for an attacker to enumerate database, table, and column names, extract sensitive data, or escalate privileges. This is fixed in version 8.9.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    SuiteCRM SuiteCRM-Core Affected: < 8.9.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64492",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-10T15:13:52.410592Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-10T15:14:20.621Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SuiteCRM-Core",
              "vendor": "SuiteCRM",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 8.9.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by measuring response times, potentially leading to the extraction of sensitive information. It is possible for an attacker to enumerate database, table, and column names, extract sensitive data, or escalate privileges. This is fixed in version 8.9.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-08T01:07:23.393Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-54m4-4p54-j8hp",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-54m4-4p54-j8hp"
            }
          ],
          "source": {
            "advisory": "GHSA-54m4-4p54-j8hp",
            "discovery": "UNKNOWN"
          },
          "title": "SuiteCRM is Vulnerable to Authenticated Time Based Blind SQL Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-64492",
        "datePublished": "2025-11-08T01:07:23.393Z",
        "dateReserved": "2025-11-05T19:12:25.103Z",
        "dateUpdated": "2025-11-10T15:14:20.621Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-54786 (GCVE-0-2025-54786)

    Vulnerability from cvelistv5 – Published: 2025-08-06 23:23 – Updated: 2025-08-07 14:47
    VLAI
    Title
    SuiteCRM: Legacy iCal service allows unauthenticated access to meeting data
    Summary
    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's meeting (calendar event) data given their username, related functionality allows user enumeration. This is fixed in versions 7.14.7 and 8.8.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-284 - Improper Access Control
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    SuiteCRM SuiteCRM-Core Affected: >= 8.8.0, < 8.8.1
    Affected: >= 7.14.6, < 7.14.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54786",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-07T14:47:43.183066Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-07T14:47:54.710Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SuiteCRM-Core",
              "vendor": "SuiteCRM",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 8.8.0, \u003c 8.8.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 7.14.6, \u003c 7.14.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user\u0027s meeting (calendar event) data given their username, related functionality allows user enumeration. This is fixed in versions 7.14.7 and 8.8.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-06T23:23:00.948Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-rf2v-4mv3-qcgm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-rf2v-4mv3-qcgm"
            },
            {
              "name": "https://docs.suitecrm.com/8.x/admin/releases/8.8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://docs.suitecrm.com/8.x/admin/releases/8.8"
            }
          ],
          "source": {
            "advisory": "GHSA-rf2v-4mv3-qcgm",
            "discovery": "UNKNOWN"
          },
          "title": "SuiteCRM: Legacy iCal service allows unauthenticated access to meeting data"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-54786",
        "datePublished": "2025-08-06T23:23:00.948Z",
        "dateReserved": "2025-07-29T16:50:28.392Z",
        "dateUpdated": "2025-08-07T14:47:54.710Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }