VYPR
Unrated severityNVD Advisory· Published Mar 19, 2026· Updated Mar 25, 2026

SuiteCRM has Authenticated Blind SQL Injection in OutboundEmail Legacy Functionality.

CVE-2026-29099

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the retrieve() function in include/OutboundEmail/OutboundEmail.php fails to properly neutralize the user controlled $id parameter. It is assumed that the function calling retrieve() will appropriately quote and sanitize the user input. However, two locations have been identified that can be reached through the EmailUIAjax action on the Email() module where this is not the case. As such, it is possible for an authenticated user to perform SQL injection through the retrieve() function. This affects the latest major versions 7.15 and 8.9. As there do not appear to be restrictions on which tables can be called, it would be possible for an attacker to retrieve arbitrary information from the database, including user information and password hashes. Versions 7.15.1 and 8.9.3 patch the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Suitecrm/Suitecrmllm-fuzzy2 versions
    <7.15.1 || <8.9.3+ 1 more
    • (no CPE)range: <7.15.1 || <8.9.3
    • (no CPE)range: < 7.15.1

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.