VYPR

Vendor CVEs

Suitecrm

All CVEs

96 total · sorted by risk
  • CVE-2015-5946HigAug 7, 2017
    risk 0.51cvss 7.8epss 0.02

    Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension.

  • CVE-2015-5948HigSep 6, 2017
    risk 0.46cvss 8.1epss 0.04

    Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947.

  • CVE-2015-5947HigSep 6, 2017
    risk 0.46cvss 8.1epss 0.03

    SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code.

  • CVE-2019-25664HigApr 5, 2026
    risk 0.39cvss 7.1epss 0.00

    SuiteCRM 7.10.7 contains a time-based SQL injection vulnerability in the record parameter of the Users module DetailView action that allows authenticated attackers to manipulate database queries. Attackers can append SQL code to the record parameter in GET requests to the…

  • CVE-2019-25663HigApr 5, 2026
    risk 0.39cvss 7.1epss 0.00

    SuiteCRM 7.10.7 contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the parentTab parameter. Attackers can send GET requests to the email module with malicious parentTab values using…

  • CVE-2024-36412Jun 10, 2024
    risk 0.07cvss epss 0.06

    SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.

  • CVE-2021-42840Oct 22, 2021
    risk 0.07cvss epss 0.59

    SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP…

  • CVE-2020-28328Nov 6, 2020
    risk 0.07cvss epss 0.64

    SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.

  • CVE-2024-36416Jun 10, 2024
    risk 0.04cvss epss 0.02

    SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue.

  • CVE-2022-23940Mar 7, 2022
    risk 0.04cvss epss 0.54

    SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a…

  • CVE-2021-45897Jan 28, 2022
    risk 0.02cvss epss 0.05

    SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution.

  • CVE-2021-45041Dec 19, 2021
    risk 0.01cvss epss 0.02

    SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date.

  • CVE-2026-32697Mar 19, 2026
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion…

  • CVE-2026-29109Mar 19, 2026
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator…

  • CVE-2026-29108Mar 19, 2026
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and…

  • CVE-2026-33289Mar 19, 2026
    risk 0.00cvss epss 0.01

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied…

  • CVE-2026-33288Mar 19, 2026
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails…

  • CVE-2026-29189Mar 19, 2026
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and…

  • CVE-2026-29107Mar 19, 2026
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, it is possible to create PDF templates with `` tags. When a PDF is exported using this template, the content (for example, `<img…

  • CVE-2026-29106Mar 19, 2026
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the value of the return_id request parameter is copied into the value of an HTML tag attribute which is an event handler and is…

  • CVE-2026-29105Mar 19, 2026
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an unauthenticated open redirect vulnerability in the WebToLead capture functionality. A user-supplied POST parameter…

  • CVE-2026-29104Mar 19, 2026
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an authenticated arbitrary file upload vulnerability in the Configurator module. An authenticated administrator can…

  • CVE-2026-29103Mar 19, 2026
    risk 0.00cvss epss 0.01

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Critical Remote Code Execution (RCE) vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allowing authenticated administrators to execute arbitrary system commands. This…

  • CVE-2026-29102Mar 19, 2026
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an Authenticated Remote Code Execution (RCE) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue.

  • CVE-2026-29101Mar 19, 2026
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue.

  • CVE-2026-29100Mar 19, 2026
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and…

  • CVE-2026-29099Mar 19, 2026
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter.…

  • CVE-2026-29098Mar 19, 2026
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the…

  • CVE-2026-29097Mar 19, 2026
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery (SSRF) vulnerability combined with a Denial of Service (DoS) condition in the RSS Feed Dashlet…

  • CVE-2026-29096Mar 19, 2026
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report (AOR_Reports module), the `field_function` parameter from POST data is saved directly into the…

  • CVE-2025-64493Nov 8, 2025
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0, there is an authenticated, blind (time-based) SQL-injection inside the appMetadata-operation of the GraphQL-API. This allows extraction of…

  • CVE-2025-64492Nov 8, 2025
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by…

  • CVE-2025-64491Nov 8, 2025
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and below allow unauthenticated reflected Cross-Site Scripting (XSS). Successful exploitation could lead to full account takeover, for example by altering…

  • CVE-2025-64490Nov 8, 2025
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 allow a low-privileged user with a restrictive role to view and create work items through the Resource Calendar and…

  • CVE-2025-64489Nov 8, 2025
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user sessions are not invalidated upon account deactivation. An…

  • CVE-2025-64488Nov 7, 2025
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.7 and below and 8.0.0-beta.1 through 8.9.0 8.0.0-beta.1, an attacker can craft a malicious call_id that alters the logic of the SQL query or injects…

  • CVE-2022-50590Nov 6, 2025
    risk 0.00cvss epss 0.00

    SuiteCRM versions prior to 7.12.6 contain a type confusion vulnerability within the processing of the ‘module’ parameter within the ‘deleteAttachment’ functionality. Successful exploitation allows remote unauthenticated attackers to alter database objects including…

  • CVE-2022-50589Nov 6, 2025
    risk 0.00cvss epss 0.01

    SuiteCRM versions prior to 7.12.6 contain a SQL injection vulnerability within the processing of the ‘uid’ parameter within the ‘export’ functionality. Successful exploitation allows remote unauthenticated attackers to ultimately execute arbitrary code.

  • CVE-2025-41384Oct 27, 2025
    risk 0.00cvss epss 0.00

    Cross-Site Scripting (XSS) vulnerability reflected in SuiteCRM v7.14.1. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP Referer header to include an arbitrary domain with malicious JavaScript code at the end. The server will attempt to…

  • CVE-2025-54787Aug 7, 2025
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a vulnerability in SuiteCRM version 7.14.6 which allows unauthenticated downloads of any file from the upload-directory, as long as it is named by an ID (e.g.…

  • CVE-2025-54784Aug 7, 2025
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a Cross Site Scripting (XSS) vulnerability in the email viewer in versions 7.14.0 through 7.14.6. An external attacker could send a prepared message to the inbox of…

  • CVE-2025-54783Aug 7, 2025
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP…

  • CVE-2025-54788Aug 6, 2025
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions and below, the InboundEmail module allows the arbitrary execution of queries in the backend database, leading to SQL injection. This can have wide-reaching…

  • CVE-2025-54786Aug 6, 2025
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any…

  • CVE-2025-54785Aug 6, 2025
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, user-supplied input is not validated/sanitized before it is passed to the unserialize function, which could lead to penetration, privilege…

  • CVE-2022-45185Jan 7, 2025
    risk 0.00cvss epss 0.01

    An issue was discovered in SuiteCRM 7.12.7. Authenticated users can use CRM functions to upload malicious files. Then, deserialization can be used to achieve code execution.

  • CVE-2022-45186Jan 7, 2025
    risk 0.00cvss epss 0.01

    An issue was discovered in SuiteCRM 7.12.7. Authenticated users can recover an arbitrary field of a database.

  • CVE-2024-50335Nov 5, 2024
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. The "Publish Key" field in SuiteCRM's Edit Profile page is vulnerable to Reflected Cross-Site Scripting (XSS), allowing an attacker to inject malicious JavaScript code. This…

  • CVE-2024-50333Nov 5, 2024
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. User input is not validated and is written to the filesystem. The ParserLabel::addLabels() function can be used to write attacker-controlled data into the custom language…

  • CVE-2024-50332Nov 5, 2024
    risk 0.00cvss epss 0.00

    SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Insufficient input value validation causes Blind SQL injection in DeleteRelationShip. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to…

Page 1 of 2