Unrated severityNVD Advisory· Published Jun 22, 2009· Updated Apr 23, 2026

CVE-2009-2146

Description

Unrestricted file upload vulnerability in the Compose Email feature in the Emails module in Sugar Community Edition (aka SugarCRM) before 5.2f allows remote authenticated users to execute arbitrary code by uploading a file with only an extension in its name, then accessing the file via a direct request to a modified filename under cache/modules/Emails/, as demonstrated using .php as the entire original name.

Affected products

Sugarcrm/Sugarcrm9 versions
cpe:2.3:a:sugarcrm:sugarcrm:5.0.0h:*:sugar_community_edition:*:*:*:*:*+ 8 more
- cpe:2.3:a:sugarcrm:sugarcrm:5.0.0h:*:sugar_community_edition:*:*:*:*:*
- cpe:2.3:a:sugarcrm:sugarcrm:5.0.0k:*:sugar_community_edition:*:*:*:*:*
- cpe:2.3:a:sugarcrm:sugarcrm:5.0.0:*:sugar_community_edition:*:*:*:*:*
- cpe:2.3:a:sugarcrm:sugarcrm:5.1.0-beta:*:sugar_community_edition:*:*:*:*:*
- cpe:2.3:a:sugarcrm:sugarcrm:5.1.0:*:sugar_community_edition:*:*:*:*:*
- cpe:2.3:a:sugarcrm:sugarcrm:5.1c:*:sugar_community_edition:*:*:*:*:*
- cpe:2.3:a:sugarcrm:sugarcrm:5.2c:*:sugar_community_edition:*:*:*:*:*
- cpe:2.3:a:sugarcrm:sugarcrm:5.2d:*:sugar_community_edition:*:*:*:*:*
- cpe:2.3:a:sugarcrm:sugarcrm:*:*:sugar_community_edition:*:*:*:*:*range: <=5.2e

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/35361nvdExploit
www.ush.it/team/ush/hack-sugarcrm_520e/adv.txtnvdExploit
secunia.com/advisories/35445nvdVendor Advisory
www.sugarforge.org/frs/download.php/5598/Sugar_CommunityEdition_ReleaseNotes_5.2f.pdfnvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.007
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000