Suitecrm
Products
1- 96 CVEs
Recent CVEs
96| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-5946 | Hig | 0.51 | 7.8 | 0.02 | Aug 7, 2017 | Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension. | ||
| CVE-2015-5948 | Hig | 0.46 | 8.1 | 0.04 | Sep 6, 2017 | Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947. | ||
| CVE-2015-5947 | Hig | 0.46 | 8.1 | 0.03 | Sep 6, 2017 | SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. | ||
| CVE-2019-25664 | Hig | 0.39 | 7.1 | 0.00 | Apr 5, 2026 | SuiteCRM 7.10.7 contains a time-based SQL injection vulnerability in the record parameter of the Users module DetailView action that allows authenticated attackers to manipulate database queries. Attackers can append SQL code to the record parameter in GET requests to the… | ||
| CVE-2019-25663 | Hig | 0.39 | 7.1 | 0.00 | Apr 5, 2026 | SuiteCRM 7.10.7 contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the parentTab parameter. Attackers can send GET requests to the email module with malicious parentTab values using… | ||
| CVE-2024-36412 | 0.07 | — | 0.06 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||
| CVE-2021-42840 | 0.07 | — | 0.59 | Oct 22, 2021 | SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP… | |||
| CVE-2020-28328 | 0.07 | — | 0.64 | Nov 6, 2020 | SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root. | |||
| CVE-2024-36416 | 0.04 | — | 0.02 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||
| CVE-2022-23940 | 0.04 | — | 0.54 | Mar 7, 2022 | SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a… | |||
| CVE-2021-45897 | 0.02 | — | 0.05 | Jan 28, 2022 | SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution. | |||
| CVE-2021-45041 | 0.01 | — | 0.02 | Dec 19, 2021 | SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date. | |||
| CVE-2026-32697 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion… | |||
| CVE-2026-29109 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator… | |||
| CVE-2026-29108 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and… | |||
| CVE-2026-33289 | 0.00 | — | 0.01 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied… | |||
| CVE-2026-33288 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails… | |||
| CVE-2026-29189 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and… | |||
| CVE-2026-29107 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, it is possible to create PDF templates with `` tags. When a PDF is exported using this template, the content (for example, `<img… | |||
| CVE-2026-29106 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the value of the return_id request parameter is copied into the value of an HTML tag attribute which is an event handler and is… |
- risk 0.51cvss 7.8epss 0.02
Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension.
- risk 0.46cvss 8.1epss 0.04
Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947.
- risk 0.46cvss 8.1epss 0.03
SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code.
- risk 0.39cvss 7.1epss 0.00
SuiteCRM 7.10.7 contains a time-based SQL injection vulnerability in the record parameter of the Users module DetailView action that allows authenticated attackers to manipulate database queries. Attackers can append SQL code to the record parameter in GET requests to the…
- risk 0.39cvss 7.1epss 0.00
SuiteCRM 7.10.7 contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the parentTab parameter. Attackers can send GET requests to the email module with malicious parentTab values using…
- CVE-2024-36412Jun 10, 2024risk 0.07cvss —epss 0.06
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
- CVE-2021-42840Oct 22, 2021risk 0.07cvss —epss 0.59
SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP…
- CVE-2020-28328Nov 6, 2020risk 0.07cvss —epss 0.64
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.
- CVE-2024-36416Jun 10, 2024risk 0.04cvss —epss 0.02
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
- CVE-2022-23940Mar 7, 2022risk 0.04cvss —epss 0.54
SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a…
- CVE-2021-45897Jan 28, 2022risk 0.02cvss —epss 0.05
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution.
- CVE-2021-45041Dec 19, 2021risk 0.01cvss —epss 0.02
SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date.
- CVE-2026-32697Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion…
- CVE-2026-29109Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator…
- CVE-2026-29108Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and…
- CVE-2026-33289Mar 19, 2026risk 0.00cvss —epss 0.01
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied…
- CVE-2026-33288Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails…
- CVE-2026-29189Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and…
- CVE-2026-29107Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, it is possible to create PDF templates with `` tags. When a PDF is exported using this template, the content (for example, `<img…
- CVE-2026-29106Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the value of the return_id request parameter is copied into the value of an HTML tag attribute which is an event handler and is…