Vulnerability-Lookup

CVE-2026-29099 (GCVE-0-2026-29099)

Vulnerability from cvelistv5 – Published: 2026-03-19 22:46 – Updated: 2026-03-25 14:59

Title

SuiteCRM has Authenticated Blind SQL Injection in OutboundEmail Legacy Functionality.

Summary

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter. It is assumed that the function calling `retrieve()` will appropriately quote and sanitize the user input. However, two locations have been identified that can be reached through the `EmailUIAjax` action on the `Email()` module where this is not the case. As such, it is possible for an authenticated user to perform SQL injection through the `retrieve()` function. This affects the latest major versions 7.15 and 8.9. As there do not appear to be restrictions on which tables can be called, it would be possible for an attacker to retrieve arbitrary information from the database, including user information and password hashes. Versions 7.15.1 and 8.9.3 patch the issue.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/SuiteCRM/SuiteCRM/security/adv…	x_refsource_CONFIRM
	https://docs.suitecrm.com/admin/releases/7.15.x	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	SuiteCRM	SuiteCRM	Affected: < 7.15.1 Affected: >= 8.0.0, < 8.9.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29099",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T14:59:05.543643Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T14:59:47.571Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SuiteCRM",
          "vendor": "SuiteCRM",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.15.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.0.0, \u003c 8.9.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter. It is assumed that the function calling `retrieve()` will appropriately quote and sanitize the user input. However, two locations have been identified that can be reached through the `EmailUIAjax`  action on the `Email()` module where this is not the case. As such, it is possible for an authenticated user to perform SQL injection through the `retrieve()` function. This affects the latest major versions 7.15 and 8.9. As there do not appear to be restrictions on which tables can be called, it would be possible for an attacker to retrieve arbitrary information from the database, including user information and password hashes. Versions 7.15.1 and 8.9.3 patch the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-19T22:46:56.418Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-38rf-h37x-7767",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-38rf-h37x-7767"
        },
        {
          "name": "https://docs.suitecrm.com/admin/releases/7.15.x",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.suitecrm.com/admin/releases/7.15.x"
        }
      ],
      "source": {
        "advisory": "GHSA-38rf-h37x-7767",
        "discovery": "UNKNOWN"
      },
      "title": "SuiteCRM has Authenticated Blind SQL Injection in OutboundEmail Legacy Functionality."
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29099",
    "datePublished": "2026-03-19T22:46:56.418Z",
    "dateReserved": "2026-03-03T21:54:06.708Z",
    "dateUpdated": "2026-03-25T14:59:47.571Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-29099\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-19T23:16:41.920\",\"lastModified\":\"2026-03-24T14:45:01.150\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter. It is assumed that the function calling `retrieve()` will appropriately quote and sanitize the user input. However, two locations have been identified that can be reached through the `EmailUIAjax`  action on the `Email()` module where this is not the case. As such, it is possible for an authenticated user to perform SQL injection through the `retrieve()` function. This affects the latest major versions 7.15 and 8.9. As there do not appear to be restrictions on which tables can be called, it would be possible for an attacker to retrieve arbitrary information from the database, including user information and password hashes. Versions 7.15.1 and 8.9.3 patch the issue.\"},{\"lang\":\"es\",\"value\":\"SuiteCRM es una aplicaci\u00f3n de software de Gesti\u00f3n de Relaciones con Clientes (CRM) de c\u00f3digo abierto y lista para empresas. Antes de las versiones 7.15.1 y 8.9.3, la funci\u00f3n \u0027retrieve()\u0027 en \u0027include/OutboundEmail/OutboundEmail.php\u0027 no neutraliza correctamente el par\u00e1metro \u0027$id\u0027 controlado por el usuario. Se asume que la funci\u00f3n que llama a \u0027retrieve()\u0027 citar\u00e1 y sanear\u00e1 adecuadamente la entrada del usuario. Sin embargo, se han identificado dos ubicaciones a las que se puede acceder a trav\u00e9s de la acci\u00f3n \u0027EmailUIAjax\u0027 en el m\u00f3dulo \u0027Email()\u0027 donde este no es el caso. Como tal, es posible que un usuario autenticado realice una inyecci\u00f3n SQL a trav\u00e9s de la funci\u00f3n \u0027retrieve()\u0027. Esto afecta a las \u00faltimas versiones principales 7.15 y 8.9. Dado que no parece haber restricciones sobre qu\u00e9 tablas pueden ser llamadas, ser\u00eda posible para un atacante recuperar informaci\u00f3n arbitraria de la base de datos, incluyendo informaci\u00f3n de usuario y hashes de contrase\u00f1a. Las versiones 7.15.1 y 8.9.3 parchean el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.15.1\",\"matchCriteriaId\":\"73648654-E7F6-47CF-8E01-19BBFF737C99\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndExcluding\":\"8.9.3\",\"matchCriteriaId\":\"C7E15DD3-A934-40A2-8B43-ABCCBB53CBCF\"}]}]}],\"references\":[{\"url\":\"https://docs.suitecrm.com/admin/releases/7.15.x\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-38rf-h37x-7767\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-29099\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-25T14:59:05.543643Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-25T14:59:39.486Z\"}}], \"cna\": {\"title\": \"SuiteCRM has Authenticated Blind SQL Injection in OutboundEmail Legacy Functionality.\", \"source\": {\"advisory\": \"GHSA-38rf-h37x-7767\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"SuiteCRM\", \"product\": \"SuiteCRM\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 7.15.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 8.0.0, \u003c 8.9.3\"}]}], \"references\": [{\"url\": \"https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-38rf-h37x-7767\", \"name\": \"https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-38rf-h37x-7767\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://docs.suitecrm.com/admin/releases/7.15.x\", \"name\": \"https://docs.suitecrm.com/admin/releases/7.15.x\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter. It is assumed that the function calling `retrieve()` will appropriately quote and sanitize the user input. However, two locations have been identified that can be reached through the `EmailUIAjax`  action on the `Email()` module where this is not the case. As such, it is possible for an authenticated user to perform SQL injection through the `retrieve()` function. This affects the latest major versions 7.15 and 8.9. As there do not appear to be restrictions on which tables can be called, it would be possible for an attacker to retrieve arbitrary information from the database, including user information and password hashes. Versions 7.15.1 and 8.9.3 patch the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-19T22:46:56.418Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-29099\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-25T14:59:47.571Z\", \"dateReserved\": \"2026-03-03T21:54:06.708Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-19T22:46:56.418Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-29099

Vulnerability from fkie_nvd - Published: 2026-03-19 23:16 - Updated: 2026-03-24 14:45

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H