Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
62 vulnerabilities found for suitecrm by suitecrm
CVE-2026-33289 (GCVE-0-2026-33289)
Vulnerability from nvd – Published: 2026-03-19 23:09 – Updated: 2026-03-20 14:58
VLAI?
Title
SuiterCRM has LDAP Filter Injection in Authentication Module
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied input before embedding it into the LDAP search filter. By injecting LDAP control characters, an unauthenticated attacker can manipulate the query logic, which can lead to authentication bypass or information disclosure. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
8.8 (High)
CWE
- CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T14:58:50.559977Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T14:58:56.382Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied input before embedding it into the LDAP search filter. By injecting LDAP control characters, an unauthenticated attacker can manipulate the query logic, which can lead to authentication bypass or information disclosure. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T23:09:07.028Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-26vx-rj47-x599",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-26vx-rj47-x599"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-26vx-rj47-x599",
"discovery": "UNKNOWN"
},
"title": "SuiterCRM has LDAP Filter Injection in Authentication Module"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33289",
"datePublished": "2026-03-19T23:09:07.028Z",
"dateReserved": "2026-03-18T18:55:47.426Z",
"dateUpdated": "2026-03-20T14:58:56.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33288 (GCVE-0-2026-33288)
Vulnerability from nvd – Published: 2026-03-19 23:08 – Updated: 2026-03-20 18:09
VLAI?
Title
SuiteCRM has Authenticated SQL Injection in Authentication Module
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33288",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T16:58:11.596581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T18:09:17.763Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T23:08:11.165Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7g39-m4fg-vrq7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7g39-m4fg-vrq7"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-7g39-m4fg-vrq7",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM has Authenticated SQL Injection in Authentication Module"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33288",
"datePublished": "2026-03-19T23:08:11.165Z",
"dateReserved": "2026-03-18T18:55:47.426Z",
"dateUpdated": "2026-03-20T18:09:17.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32697 (GCVE-0-2026-32697)
Vulnerability from nvd – Published: 2026-03-19 23:13 – Updated: 2026-03-20 20:04
VLAI?
Title
SuiteCRM: RecordHandler::getRecord() missing ACLAccess('view') check allows any authenticated user to read any record (IDOR)
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion `saveRecord()` method correctly checks `$bean->ACLAccess('save')`, but `getRecord()` skips the equivalent `ACLAccess('view')` check. Version 8.9.3 patches the issue.
Severity ?
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SuiteCRM | SuiteCRM-Core |
Affected:
< 8.9.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32697",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T20:04:08.531655Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T20:04:17.239Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM-Core",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user\u0027s ACL view permission. The companion `saveRecord()` method correctly checks `$bean-\u003eACLAccess(\u0027save\u0027)`, but `getRecord()` skips the equivalent `ACLAccess(\u0027view\u0027)` check. Version 8.9.3 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T23:13:08.280Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-9p9g-224x-6rmm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-9p9g-224x-6rmm"
}
],
"source": {
"advisory": "GHSA-9p9g-224x-6rmm",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM: RecordHandler::getRecord() missing ACLAccess(\u0027view\u0027) check allows any authenticated user to read any record (IDOR)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32697",
"datePublished": "2026-03-19T23:13:08.280Z",
"dateReserved": "2026-03-13T14:33:42.822Z",
"dateUpdated": "2026-03-20T20:04:17.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29189 (GCVE-0-2026-29189)
Vulnerability from nvd – Published: 2026-03-19 23:05 – Updated: 2026-03-20 14:59
VLAI?
Title
SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and manipulate data they should not have permission to interact with. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
8.1 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29189",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T14:59:25.962953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T14:59:32.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and manipulate data they should not have permission to interact with. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T23:05:16.814Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-m6x8-3hxp-qxwv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-m6x8-3hxp-qxwv"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-m6x8-3hxp-qxwv",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29189",
"datePublished": "2026-03-19T23:05:16.814Z",
"dateReserved": "2026-03-04T14:44:00.714Z",
"dateUpdated": "2026-03-20T14:59:32.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29109 (GCVE-0-2026-29109)
Vulnerability from nvd – Published: 2026-03-19 23:12 – Updated: 2026-03-20 18:09
VLAI?
Title
SuiteCRM Authenticated Remote Code Execution via Unsafe Deserialization in SavedSearch Filter Processing
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the server. `FilterDefinitionProvider.php` calls `unserialize()` on user-controlled data from the `saved_search.contents` database column without restricting instantiable classes. Version 8.9.3 patches the issue.
Severity ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SuiteCRM | SuiteCRM-Core |
Affected:
< 8.9.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29109",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T16:57:08.061767Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T18:09:12.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM-Core",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the server. `FilterDefinitionProvider.php` calls `unserialize()` on user-controlled data from the `saved_search.contents` database column without restricting instantiable classes. Version 8.9.3 patches the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T23:12:11.526Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-mhq2-277m-6w24",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-mhq2-277m-6w24"
}
],
"source": {
"advisory": "GHSA-mhq2-277m-6w24",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM Authenticated Remote Code Execution via Unsafe Deserialization in SavedSearch Filter Processing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29109",
"datePublished": "2026-03-19T23:12:11.526Z",
"dateReserved": "2026-03-03T21:54:06.709Z",
"dateUpdated": "2026-03-20T18:09:12.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29108 (GCVE-0-2026-29108)
Vulnerability from nvd – Published: 2026-03-19 23:10 – Updated: 2026-03-21 03:06
VLAI?
Title
Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue.
Severity ?
6.5 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SuiteCRM | SuiteCRM-Core |
Affected:
< 8.9.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29108",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-21T03:06:37.852701Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-21T03:06:59.568Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM-Core",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it\u0027s possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T23:10:59.651Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5"
}
],
"source": {
"advisory": "GHSA-xc8w-xc9v-45w5",
"discovery": "UNKNOWN"
},
"title": "Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29108",
"datePublished": "2026-03-19T23:10:59.651Z",
"dateReserved": "2026-03-03T21:54:06.709Z",
"dateUpdated": "2026-03-21T03:06:59.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29107 (GCVE-0-2026-29107)
Vulnerability from nvd – Published: 2026-03-19 23:04 – Updated: 2026-03-20 20:07
VLAI?
Title
SuiteCRM vulnerable to authenticated SSRF via PDF export
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, it is possible to create PDF templates with `<img>` tags. When a PDF is exported using this template, the content (for example, `<img src=http://{burp_collaborator_url}>` is rendered server side, and thus a request is issued from the server, resulting in Server-Side Request Forgery. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29107",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T20:07:13.441003Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T20:07:22.390Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, it is possible to create PDF templates with `\u003cimg\u003e` tags. When a PDF is exported using this template, the content (for example, `\u003cimg src=http://{burp_collaborator_url}\u003e` is rendered server side, and thus a request is issued from the server, resulting in Server-Side Request Forgery. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T23:04:12.017Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-g7cv-4ghj-x98h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-g7cv-4ghj-x98h"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-g7cv-4ghj-x98h",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM vulnerable to authenticated SSRF via PDF export"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29107",
"datePublished": "2026-03-19T23:04:12.017Z",
"dateReserved": "2026-03-03T21:54:06.709Z",
"dateUpdated": "2026-03-20T20:07:22.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29106 (GCVE-0-2026-29106)
Vulnerability from nvd – Published: 2026-03-19 23:02 – Updated: 2026-03-20 14:59
VLAI?
Title
SuiteCRM has blind XSS in return_id parameter
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the value of the return_id request parameter is copied into the value of an HTML tag attribute which is an event handler and is encapsulated in double quotation marks. Versions 7.15.1 and 8.9.3 patch the issue. Users should also use a Content Security Policy (CSP) header to completely mitigate XSS.
Severity ?
5.9 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29106",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T14:59:53.325267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T14:59:59.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the value of the return_id request parameter is copied into the value of an HTML tag attribute which is an event handler and is encapsulated in double quotation marks. Versions 7.15.1 and 8.9.3 patch the issue. Users should also use a Content Security Policy (CSP) header to completely mitigate XSS."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-159",
"description": "CWE-159: Improper Handling of Invalid Use of Special Elements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T23:02:19.944Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7qrj-5hj6-7c2m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7qrj-5hj6-7c2m"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-7qrj-5hj6-7c2m",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM has blind XSS in return_id parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29106",
"datePublished": "2026-03-19T23:02:19.944Z",
"dateReserved": "2026-03-03T21:54:06.709Z",
"dateUpdated": "2026-03-20T14:59:59.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29105 (GCVE-0-2026-29105)
Vulnerability from nvd – Published: 2026-03-19 22:58 – Updated: 2026-03-20 18:09
VLAI?
Title
SuiteCRM has Unauthenticated Open Redirect in Leads WebToLead Capture
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an unauthenticated open redirect vulnerability in the WebToLead capture functionality. A user-supplied POST parameter is used as a redirect destination without validation, allowing attackers to redirect victims to arbitrary external websites. This vulnerability allows attackers to abuse the trusted SuiteCRM domain for phishing and social engineering attacks by redirecting users to malicious external websites. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
5.4 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29105",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T16:58:51.147955Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T18:09:24.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an unauthenticated open redirect vulnerability in the WebToLead capture functionality. A user-supplied POST parameter is used as a redirect destination without validation, allowing attackers to redirect victims to arbitrary external websites. This vulnerability allows attackers to abuse the trusted SuiteCRM domain for phishing and social engineering attacks by redirecting users to malicious external websites. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:59:06.863Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-9crg-83cg-wv74",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-9crg-83cg-wv74"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-9crg-83cg-wv74",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM has Unauthenticated Open Redirect in Leads WebToLead Capture"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29105",
"datePublished": "2026-03-19T22:58:48.879Z",
"dateReserved": "2026-03-03T21:54:06.709Z",
"dateUpdated": "2026-03-20T18:09:24.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29104 (GCVE-0-2026-29104)
Vulnerability from nvd – Published: 2026-03-19 22:55 – Updated: 2026-03-21 03:09
VLAI?
Title
SuiteCRM Vulnerable to Authenticated Arbitrary File Upload via Configurator addfontresult View in SuiteCRM
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an authenticated arbitrary file upload vulnerability in the Configurator module. An authenticated administrator can bypass intended file type restrictions when uploading PDF font files, allowing arbitrary files with attacker‑controlled filenames to be written to the server. Although the upload directory is not directly web‑accessible by default, this behavior breaks security boundaries and may enable further attacks when combined with other vulnerabilities or in certain deployment configurations. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29104",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-21T03:08:52.958893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-21T03:09:13.374Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an authenticated arbitrary file upload vulnerability in the Configurator module. An authenticated administrator can bypass intended file type restrictions when uploading PDF font files, allowing arbitrary files with attacker\u2011controlled filenames to be written to the server. Although the upload directory is not directly web\u2011accessible by default, this behavior breaks security boundaries and may enable further attacks when combined with other vulnerabilities or in certain deployment configurations. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:55:51.535Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5hx9-cmmx-26p3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5hx9-cmmx-26p3"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-5hx9-cmmx-26p3",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM Vulnerable to Authenticated Arbitrary File Upload via Configurator addfontresult View in SuiteCRM"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29104",
"datePublished": "2026-03-19T22:55:51.535Z",
"dateReserved": "2026-03-03T21:54:06.709Z",
"dateUpdated": "2026-03-21T03:09:13.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29103 (GCVE-0-2026-29103)
Vulnerability from nvd – Published: 2026-03-19 22:54 – Updated: 2026-03-20 20:07
VLAI?
Title
SuiteCRM Vulnerable to Remote Code Execution via Module Loader Package Scanner Bypass
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Critical Remote Code Execution (RCE) vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allowing authenticated administrators to execute arbitrary system commands. This vulnerability is a direct Patch Bypass of CVE-2024-49774. Although the vendor attempted to fix the issue in version 7.14.5, the underlying flaw in ModuleScanner.php regarding PHP token parsing remains. The scanner incorrectly resets its internal state ($checkFunction flag) when encountering any single-character token (such as =, ., or ;). This allows attackers to hide dangerous function calls (e.g., system(), exec()) using variable assignments or string concatenation, completely evading the MLP security controls. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
9.1 (Critical)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29103",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T20:07:48.885256Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T20:07:56.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Critical Remote Code Execution (RCE) vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allowing authenticated administrators to execute arbitrary system commands. This vulnerability is a direct Patch Bypass of CVE-2024-49774. Although the vendor attempted to fix the issue in version 7.14.5, the underlying flaw in ModuleScanner.php regarding PHP token parsing remains. The scanner incorrectly resets its internal state ($checkFunction flag) when encountering any single-character token (such as =, ., or ;). This allows attackers to hide dangerous function calls (e.g., system(), exec()) using variable assignments or string concatenation, completely evading the MLP security controls. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-358",
"description": "CWE-358: Improperly Implemented Security Check for Standard",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:54:34.877Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5jjq-9qch-9rg7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5jjq-9qch-9rg7"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-5jjq-9qch-9rg7",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM Vulnerable to Remote Code Execution via Module Loader Package Scanner Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29103",
"datePublished": "2026-03-19T22:54:34.877Z",
"dateReserved": "2026-03-03T21:54:06.709Z",
"dateUpdated": "2026-03-20T20:07:56.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29102 (GCVE-0-2026-29102)
Vulnerability from nvd – Published: 2026-03-19 22:53 – Updated: 2026-03-20 15:00
VLAI?
Title
SuiteCRM has Authenticated RCE in Modules
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an Authenticated Remote Code Execution (RCE) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
7.2 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29102",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T15:00:20.313888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T15:00:25.674Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an Authenticated Remote Code Execution (RCE) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:53:09.827Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-mr5v-wcgr-98qr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-mr5v-wcgr-98qr"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-mr5v-wcgr-98qr",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM has Authenticated RCE in Modules"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29102",
"datePublished": "2026-03-19T22:53:09.827Z",
"dateReserved": "2026-03-03T21:54:06.708Z",
"dateUpdated": "2026-03-20T15:00:25.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29101 (GCVE-0-2026-29101)
Vulnerability from nvd – Published: 2026-03-19 22:51 – Updated: 2026-03-20 18:09
VLAI?
Title
SuiteCRM Vulnerable to Directory Traversal to DoS in Modules
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
4.9 (Medium)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29101",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T16:59:10.693199Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T18:09:29.978Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:51:47.718Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-24pf-9cvh-ppcg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-24pf-9cvh-ppcg"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-24pf-9cvh-ppcg",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM Vulnerable to Directory Traversal to DoS in Modules"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29101",
"datePublished": "2026-03-19T22:51:47.718Z",
"dateReserved": "2026-03-03T21:54:06.708Z",
"dateUpdated": "2026-03-20T18:09:29.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29100 (GCVE-0-2026-29100)
Vulnerability from nvd – Published: 2026-03-19 22:48 – Updated: 2026-03-21 03:10
VLAI?
Title
SuiteCRM has Reflected HTML Injection in Login Page via default_user_name Parameter
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Version 7.15.1 patches the issue.
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29100",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-21T03:10:22.904068Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-21T03:10:33.905Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Version 7.15.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:48:49.821Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-g7hf-3j93-rwm5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-g7hf-3j93-rwm5"
}
],
"source": {
"advisory": "GHSA-g7hf-3j93-rwm5",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM has Reflected HTML Injection in Login Page via default_user_name Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29100",
"datePublished": "2026-03-19T22:48:49.821Z",
"dateReserved": "2026-03-03T21:54:06.708Z",
"dateUpdated": "2026-03-21T03:10:33.905Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29099 (GCVE-0-2026-29099)
Vulnerability from nvd – Published: 2026-03-19 22:46 – Updated: 2026-03-25 14:59
VLAI?
Title
SuiteCRM has Authenticated Blind SQL Injection in OutboundEmail Legacy Functionality.
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter. It is assumed that the function calling `retrieve()` will appropriately quote and sanitize the user input. However, two locations have been identified that can be reached through the `EmailUIAjax` action on the `Email()` module where this is not the case. As such, it is possible for an authenticated user to perform SQL injection through the `retrieve()` function. This affects the latest major versions 7.15 and 8.9. As there do not appear to be restrictions on which tables can be called, it would be possible for an attacker to retrieve arbitrary information from the database, including user information and password hashes. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29099",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T14:59:05.543643Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T14:59:47.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter. It is assumed that the function calling `retrieve()` will appropriately quote and sanitize the user input. However, two locations have been identified that can be reached through the `EmailUIAjax` action on the `Email()` module where this is not the case. As such, it is possible for an authenticated user to perform SQL injection through the `retrieve()` function. This affects the latest major versions 7.15 and 8.9. As there do not appear to be restrictions on which tables can be called, it would be possible for an attacker to retrieve arbitrary information from the database, including user information and password hashes. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:46:56.418Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-38rf-h37x-7767",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-38rf-h37x-7767"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-38rf-h37x-7767",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM has Authenticated Blind SQL Injection in OutboundEmail Legacy Functionality."
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29099",
"datePublished": "2026-03-19T22:46:56.418Z",
"dateReserved": "2026-03-03T21:54:06.708Z",
"dateUpdated": "2026-03-25T14:59:47.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29098 (GCVE-0-2026-29098)
Vulnerability from nvd – Published: 2026-03-19 22:43 – Updated: 2026-03-20 17:45
VLAI?
Title
SuiteCRM has Relative Path Traversal via ModuleBuilder Modules ExportCustom Action
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the `$modules` and `$name` parameters. Both parameters later reach the `exportCustom` function in `modules/ModuleBuilder/MB/MBPackage.php` where they are both utilized in constructing s paths for file reading and writing. As such, it is possible for a user with access to the ModuleBuilder module, generally an administrator, to craft a request that can copy the content of any readable directory on the underlying host into the web root, making them readable. As the `ModuleBuilder` module is part of both major versions 7 and 8, both current major versions are affected. This vulnerability allows an attacker to copy any readable directory into the web root. This includes system files like the content of `/etc, or the root directory of the web server, potentially exposing secrets and environment variables. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
4.9 (Medium)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29098",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T17:43:50.482877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T17:45:30.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the `$modules` and `$name` parameters. Both parameters later reach the `exportCustom` function in `modules/ModuleBuilder/MB/MBPackage.php` where they are both utilized in constructing s paths for file reading and writing. As such, it is possible for a user with access to the ModuleBuilder module, generally an administrator, to craft a request that can copy the content of any readable directory on the underlying host into the web root, making them readable. As the `ModuleBuilder` module is part of both major versions 7 and 8, both current major versions are affected. This vulnerability allows an attacker to copy any readable directory into the web root. This includes system files like the content of `/etc, or the root directory of the web server, potentially exposing secrets and environment variables. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:47:11.424Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-6858-fhw5-56gf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-6858-fhw5-56gf"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-6858-fhw5-56gf",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM has Relative Path Traversal via ModuleBuilder Modules ExportCustom Action"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29098",
"datePublished": "2026-03-19T22:43:58.568Z",
"dateReserved": "2026-03-03T21:54:06.708Z",
"dateUpdated": "2026-03-20T17:45:30.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29097 (GCVE-0-2026-29097)
Vulnerability from nvd – Published: 2026-03-19 22:39 – Updated: 2026-03-21 03:11
VLAI?
Title
SuiteCRM Server-Side Request Forgery and Denial of Service via RSS Feed Dashlet
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery (SSRF) vulnerability combined with a Denial of Service (DoS) condition in the RSS Feed Dashlet component. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-21T03:11:23.199993Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-21T03:11:35.213Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery (SSRF) vulnerability combined with a Denial of Service (DoS) condition in the RSS Feed Dashlet component. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:45:00.535Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-x3p2-qcqh-qx2m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-x3p2-qcqh-qx2m"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-x3p2-qcqh-qx2m",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM Server-Side Request Forgery and Denial of Service via RSS Feed Dashlet"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29097",
"datePublished": "2026-03-19T22:39:03.546Z",
"dateReserved": "2026-03-03T21:54:06.708Z",
"dateUpdated": "2026-03-21T03:11:35.213Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29096 (GCVE-0-2026-29096)
Vulnerability from nvd – Published: 2026-03-19 22:37 – Updated: 2026-03-25 14:57
VLAI?
Title
SuiteCRM vulnerable to Authenticated SQL Injection via unsanitized field_function in Report Fields
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report (AOR_Reports module), the `field_function` parameter from POST data is saved directly into the `aor_fields` table without any validation. Later, when the report is executed/viewed, this value is concatenated directly into a SQL SELECT query without sanitization, enabling second-order SQL injection. Any authenticated user with Reports access can extract arbitrary database contents (password hashes, API tokens, config values). On MySQL with FILE privilege, this could lead to RCE via SELECT INTO OUTFILE. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
8.1 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29096",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T14:56:51.699648Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T14:57:40.389Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report (AOR_Reports module), the `field_function` parameter from POST data is saved directly into the `aor_fields` table without any validation. Later, when the report is executed/viewed, this value is concatenated directly into a SQL SELECT query without sanitization, enabling second-order SQL injection. Any authenticated user with Reports access can extract arbitrary database contents (password hashes, API tokens, config values). On MySQL with FILE privilege, this could lead to RCE via SELECT INTO OUTFILE. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:44:51.372Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-vh42-gmqm-q55m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-vh42-gmqm-q55m"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-vh42-gmqm-q55m",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM vulnerable to Authenticated SQL Injection via unsanitized field_function in Report Fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29096",
"datePublished": "2026-03-19T22:37:51.208Z",
"dateReserved": "2026-03-03T21:54:06.708Z",
"dateUpdated": "2026-03-25T14:57:40.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32697 (GCVE-0-2026-32697)
Vulnerability from cvelistv5 – Published: 2026-03-19 23:13 – Updated: 2026-03-20 20:04
VLAI?
Title
SuiteCRM: RecordHandler::getRecord() missing ACLAccess('view') check allows any authenticated user to read any record (IDOR)
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion `saveRecord()` method correctly checks `$bean->ACLAccess('save')`, but `getRecord()` skips the equivalent `ACLAccess('view')` check. Version 8.9.3 patches the issue.
Severity ?
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SuiteCRM | SuiteCRM-Core |
Affected:
< 8.9.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32697",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T20:04:08.531655Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T20:04:17.239Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM-Core",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user\u0027s ACL view permission. The companion `saveRecord()` method correctly checks `$bean-\u003eACLAccess(\u0027save\u0027)`, but `getRecord()` skips the equivalent `ACLAccess(\u0027view\u0027)` check. Version 8.9.3 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T23:13:08.280Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-9p9g-224x-6rmm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-9p9g-224x-6rmm"
}
],
"source": {
"advisory": "GHSA-9p9g-224x-6rmm",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM: RecordHandler::getRecord() missing ACLAccess(\u0027view\u0027) check allows any authenticated user to read any record (IDOR)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32697",
"datePublished": "2026-03-19T23:13:08.280Z",
"dateReserved": "2026-03-13T14:33:42.822Z",
"dateUpdated": "2026-03-20T20:04:17.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29109 (GCVE-0-2026-29109)
Vulnerability from cvelistv5 – Published: 2026-03-19 23:12 – Updated: 2026-03-20 18:09
VLAI?
Title
SuiteCRM Authenticated Remote Code Execution via Unsafe Deserialization in SavedSearch Filter Processing
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the server. `FilterDefinitionProvider.php` calls `unserialize()` on user-controlled data from the `saved_search.contents` database column without restricting instantiable classes. Version 8.9.3 patches the issue.
Severity ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SuiteCRM | SuiteCRM-Core |
Affected:
< 8.9.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29109",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T16:57:08.061767Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T18:09:12.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM-Core",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the server. `FilterDefinitionProvider.php` calls `unserialize()` on user-controlled data from the `saved_search.contents` database column without restricting instantiable classes. Version 8.9.3 patches the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T23:12:11.526Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-mhq2-277m-6w24",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-mhq2-277m-6w24"
}
],
"source": {
"advisory": "GHSA-mhq2-277m-6w24",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM Authenticated Remote Code Execution via Unsafe Deserialization in SavedSearch Filter Processing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29109",
"datePublished": "2026-03-19T23:12:11.526Z",
"dateReserved": "2026-03-03T21:54:06.709Z",
"dateUpdated": "2026-03-20T18:09:12.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29108 (GCVE-0-2026-29108)
Vulnerability from cvelistv5 – Published: 2026-03-19 23:10 – Updated: 2026-03-21 03:06
VLAI?
Title
Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue.
Severity ?
6.5 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SuiteCRM | SuiteCRM-Core |
Affected:
< 8.9.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29108",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-21T03:06:37.852701Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-21T03:06:59.568Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM-Core",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it\u0027s possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T23:10:59.651Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5"
}
],
"source": {
"advisory": "GHSA-xc8w-xc9v-45w5",
"discovery": "UNKNOWN"
},
"title": "Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29108",
"datePublished": "2026-03-19T23:10:59.651Z",
"dateReserved": "2026-03-03T21:54:06.709Z",
"dateUpdated": "2026-03-21T03:06:59.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33289 (GCVE-0-2026-33289)
Vulnerability from cvelistv5 – Published: 2026-03-19 23:09 – Updated: 2026-03-20 14:58
VLAI?
Title
SuiterCRM has LDAP Filter Injection in Authentication Module
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied input before embedding it into the LDAP search filter. By injecting LDAP control characters, an unauthenticated attacker can manipulate the query logic, which can lead to authentication bypass or information disclosure. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
8.8 (High)
CWE
- CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T14:58:50.559977Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T14:58:56.382Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied input before embedding it into the LDAP search filter. By injecting LDAP control characters, an unauthenticated attacker can manipulate the query logic, which can lead to authentication bypass or information disclosure. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T23:09:07.028Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-26vx-rj47-x599",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-26vx-rj47-x599"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-26vx-rj47-x599",
"discovery": "UNKNOWN"
},
"title": "SuiterCRM has LDAP Filter Injection in Authentication Module"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33289",
"datePublished": "2026-03-19T23:09:07.028Z",
"dateReserved": "2026-03-18T18:55:47.426Z",
"dateUpdated": "2026-03-20T14:58:56.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33288 (GCVE-0-2026-33288)
Vulnerability from cvelistv5 – Published: 2026-03-19 23:08 – Updated: 2026-03-20 18:09
VLAI?
Title
SuiteCRM has Authenticated SQL Injection in Authentication Module
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33288",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T16:58:11.596581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T18:09:17.763Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T23:08:11.165Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7g39-m4fg-vrq7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7g39-m4fg-vrq7"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-7g39-m4fg-vrq7",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM has Authenticated SQL Injection in Authentication Module"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33288",
"datePublished": "2026-03-19T23:08:11.165Z",
"dateReserved": "2026-03-18T18:55:47.426Z",
"dateUpdated": "2026-03-20T18:09:17.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29189 (GCVE-0-2026-29189)
Vulnerability from cvelistv5 – Published: 2026-03-19 23:05 – Updated: 2026-03-20 14:59
VLAI?
Title
SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and manipulate data they should not have permission to interact with. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
8.1 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29189",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T14:59:25.962953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T14:59:32.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and manipulate data they should not have permission to interact with. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T23:05:16.814Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-m6x8-3hxp-qxwv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-m6x8-3hxp-qxwv"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-m6x8-3hxp-qxwv",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29189",
"datePublished": "2026-03-19T23:05:16.814Z",
"dateReserved": "2026-03-04T14:44:00.714Z",
"dateUpdated": "2026-03-20T14:59:32.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29107 (GCVE-0-2026-29107)
Vulnerability from cvelistv5 – Published: 2026-03-19 23:04 – Updated: 2026-03-20 20:07
VLAI?
Title
SuiteCRM vulnerable to authenticated SSRF via PDF export
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, it is possible to create PDF templates with `<img>` tags. When a PDF is exported using this template, the content (for example, `<img src=http://{burp_collaborator_url}>` is rendered server side, and thus a request is issued from the server, resulting in Server-Side Request Forgery. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29107",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T20:07:13.441003Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T20:07:22.390Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, it is possible to create PDF templates with `\u003cimg\u003e` tags. When a PDF is exported using this template, the content (for example, `\u003cimg src=http://{burp_collaborator_url}\u003e` is rendered server side, and thus a request is issued from the server, resulting in Server-Side Request Forgery. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T23:04:12.017Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-g7cv-4ghj-x98h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-g7cv-4ghj-x98h"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-g7cv-4ghj-x98h",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM vulnerable to authenticated SSRF via PDF export"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29107",
"datePublished": "2026-03-19T23:04:12.017Z",
"dateReserved": "2026-03-03T21:54:06.709Z",
"dateUpdated": "2026-03-20T20:07:22.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29106 (GCVE-0-2026-29106)
Vulnerability from cvelistv5 – Published: 2026-03-19 23:02 – Updated: 2026-03-20 14:59
VLAI?
Title
SuiteCRM has blind XSS in return_id parameter
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the value of the return_id request parameter is copied into the value of an HTML tag attribute which is an event handler and is encapsulated in double quotation marks. Versions 7.15.1 and 8.9.3 patch the issue. Users should also use a Content Security Policy (CSP) header to completely mitigate XSS.
Severity ?
5.9 (Medium)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29106",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T14:59:53.325267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T14:59:59.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the value of the return_id request parameter is copied into the value of an HTML tag attribute which is an event handler and is encapsulated in double quotation marks. Versions 7.15.1 and 8.9.3 patch the issue. Users should also use a Content Security Policy (CSP) header to completely mitigate XSS."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-159",
"description": "CWE-159: Improper Handling of Invalid Use of Special Elements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T23:02:19.944Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7qrj-5hj6-7c2m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7qrj-5hj6-7c2m"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-7qrj-5hj6-7c2m",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM has blind XSS in return_id parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29106",
"datePublished": "2026-03-19T23:02:19.944Z",
"dateReserved": "2026-03-03T21:54:06.709Z",
"dateUpdated": "2026-03-20T14:59:59.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29105 (GCVE-0-2026-29105)
Vulnerability from cvelistv5 – Published: 2026-03-19 22:58 – Updated: 2026-03-20 18:09
VLAI?
Title
SuiteCRM has Unauthenticated Open Redirect in Leads WebToLead Capture
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an unauthenticated open redirect vulnerability in the WebToLead capture functionality. A user-supplied POST parameter is used as a redirect destination without validation, allowing attackers to redirect victims to arbitrary external websites. This vulnerability allows attackers to abuse the trusted SuiteCRM domain for phishing and social engineering attacks by redirecting users to malicious external websites. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
5.4 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29105",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T16:58:51.147955Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T18:09:24.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an unauthenticated open redirect vulnerability in the WebToLead capture functionality. A user-supplied POST parameter is used as a redirect destination without validation, allowing attackers to redirect victims to arbitrary external websites. This vulnerability allows attackers to abuse the trusted SuiteCRM domain for phishing and social engineering attacks by redirecting users to malicious external websites. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:59:06.863Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-9crg-83cg-wv74",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-9crg-83cg-wv74"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-9crg-83cg-wv74",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM has Unauthenticated Open Redirect in Leads WebToLead Capture"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29105",
"datePublished": "2026-03-19T22:58:48.879Z",
"dateReserved": "2026-03-03T21:54:06.709Z",
"dateUpdated": "2026-03-20T18:09:24.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29104 (GCVE-0-2026-29104)
Vulnerability from cvelistv5 – Published: 2026-03-19 22:55 – Updated: 2026-03-21 03:09
VLAI?
Title
SuiteCRM Vulnerable to Authenticated Arbitrary File Upload via Configurator addfontresult View in SuiteCRM
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an authenticated arbitrary file upload vulnerability in the Configurator module. An authenticated administrator can bypass intended file type restrictions when uploading PDF font files, allowing arbitrary files with attacker‑controlled filenames to be written to the server. Although the upload directory is not directly web‑accessible by default, this behavior breaks security boundaries and may enable further attacks when combined with other vulnerabilities or in certain deployment configurations. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29104",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-21T03:08:52.958893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-21T03:09:13.374Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an authenticated arbitrary file upload vulnerability in the Configurator module. An authenticated administrator can bypass intended file type restrictions when uploading PDF font files, allowing arbitrary files with attacker\u2011controlled filenames to be written to the server. Although the upload directory is not directly web\u2011accessible by default, this behavior breaks security boundaries and may enable further attacks when combined with other vulnerabilities or in certain deployment configurations. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:55:51.535Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5hx9-cmmx-26p3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5hx9-cmmx-26p3"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-5hx9-cmmx-26p3",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM Vulnerable to Authenticated Arbitrary File Upload via Configurator addfontresult View in SuiteCRM"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29104",
"datePublished": "2026-03-19T22:55:51.535Z",
"dateReserved": "2026-03-03T21:54:06.709Z",
"dateUpdated": "2026-03-21T03:09:13.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29103 (GCVE-0-2026-29103)
Vulnerability from cvelistv5 – Published: 2026-03-19 22:54 – Updated: 2026-03-20 20:07
VLAI?
Title
SuiteCRM Vulnerable to Remote Code Execution via Module Loader Package Scanner Bypass
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Critical Remote Code Execution (RCE) vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allowing authenticated administrators to execute arbitrary system commands. This vulnerability is a direct Patch Bypass of CVE-2024-49774. Although the vendor attempted to fix the issue in version 7.14.5, the underlying flaw in ModuleScanner.php regarding PHP token parsing remains. The scanner incorrectly resets its internal state ($checkFunction flag) when encountering any single-character token (such as =, ., or ;). This allows attackers to hide dangerous function calls (e.g., system(), exec()) using variable assignments or string concatenation, completely evading the MLP security controls. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
9.1 (Critical)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29103",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T20:07:48.885256Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T20:07:56.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Critical Remote Code Execution (RCE) vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allowing authenticated administrators to execute arbitrary system commands. This vulnerability is a direct Patch Bypass of CVE-2024-49774. Although the vendor attempted to fix the issue in version 7.14.5, the underlying flaw in ModuleScanner.php regarding PHP token parsing remains. The scanner incorrectly resets its internal state ($checkFunction flag) when encountering any single-character token (such as =, ., or ;). This allows attackers to hide dangerous function calls (e.g., system(), exec()) using variable assignments or string concatenation, completely evading the MLP security controls. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-358",
"description": "CWE-358: Improperly Implemented Security Check for Standard",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:54:34.877Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5jjq-9qch-9rg7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5jjq-9qch-9rg7"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-5jjq-9qch-9rg7",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM Vulnerable to Remote Code Execution via Module Loader Package Scanner Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29103",
"datePublished": "2026-03-19T22:54:34.877Z",
"dateReserved": "2026-03-03T21:54:06.709Z",
"dateUpdated": "2026-03-20T20:07:56.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29102 (GCVE-0-2026-29102)
Vulnerability from cvelistv5 – Published: 2026-03-19 22:53 – Updated: 2026-03-20 15:00
VLAI?
Title
SuiteCRM has Authenticated RCE in Modules
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an Authenticated Remote Code Execution (RCE) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue.
Severity ?
7.2 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29102",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T15:00:20.313888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T15:00:25.674Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an Authenticated Remote Code Execution (RCE) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T22:53:09.827Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-mr5v-wcgr-98qr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-mr5v-wcgr-98qr"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-mr5v-wcgr-98qr",
"discovery": "UNKNOWN"
},
"title": "SuiteCRM has Authenticated RCE in Modules"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29102",
"datePublished": "2026-03-19T22:53:09.827Z",
"dateReserved": "2026-03-03T21:54:06.708Z",
"dateUpdated": "2026-03-20T15:00:25.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}