Vendor CVEs
Suitecrm
All CVEs
96 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-5946 | Hig | 0.51 | 7.8 | 0.02 | Aug 7, 2017 | Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension. | ||
| CVE-2015-5948 | Hig | 0.46 | 8.1 | 0.04 | Sep 6, 2017 | Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947. | ||
| CVE-2015-5947 | Hig | 0.46 | 8.1 | 0.03 | Sep 6, 2017 | SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. | ||
| CVE-2019-25664 | Hig | 0.39 | 7.1 | 0.00 | Apr 5, 2026 | SuiteCRM 7.10.7 contains a time-based SQL injection vulnerability in the record parameter of the Users module DetailView action that allows authenticated attackers to manipulate database queries. Attackers can append SQL code to the record parameter in GET requests to the… | ||
| CVE-2019-25663 | Hig | 0.39 | 7.1 | 0.00 | Apr 5, 2026 | SuiteCRM 7.10.7 contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the parentTab parameter. Attackers can send GET requests to the email module with malicious parentTab values using… | ||
| CVE-2024-36412 | 0.07 | — | 0.06 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||
| CVE-2021-42840 | 0.07 | — | 0.59 | Oct 22, 2021 | SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP… | |||
| CVE-2020-28328 | 0.07 | — | 0.64 | Nov 6, 2020 | SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root. | |||
| CVE-2024-36416 | 0.04 | — | 0.02 | Jun 10, 2024 | SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||
| CVE-2022-23940 | 0.04 | — | 0.54 | Mar 7, 2022 | SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a… | |||
| CVE-2021-45897 | 0.02 | — | 0.05 | Jan 28, 2022 | SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution. | |||
| CVE-2021-45041 | 0.01 | — | 0.02 | Dec 19, 2021 | SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date. | |||
| CVE-2026-32697 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion… | |||
| CVE-2026-29109 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator… | |||
| CVE-2026-29108 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and… | |||
| CVE-2026-33289 | 0.00 | — | 0.01 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied… | |||
| CVE-2026-33288 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails… | |||
| CVE-2026-29189 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and… | |||
| CVE-2026-29107 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, it is possible to create PDF templates with `` tags. When a PDF is exported using this template, the content (for example, `<img… | |||
| CVE-2026-29106 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the value of the return_id request parameter is copied into the value of an HTML tag attribute which is an event handler and is… | |||
| CVE-2026-29105 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an unauthenticated open redirect vulnerability in the WebToLead capture functionality. A user-supplied POST parameter… | |||
| CVE-2026-29104 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an authenticated arbitrary file upload vulnerability in the Configurator module. An authenticated administrator can… | |||
| CVE-2026-29103 | 0.00 | — | 0.01 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Critical Remote Code Execution (RCE) vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allowing authenticated administrators to execute arbitrary system commands. This… | |||
| CVE-2026-29102 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an Authenticated Remote Code Execution (RCE) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue. | |||
| CVE-2026-29101 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue. | |||
| CVE-2026-29100 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and… | |||
| CVE-2026-29099 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter.… | |||
| CVE-2026-29098 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the… | |||
| CVE-2026-29097 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery (SSRF) vulnerability combined with a Denial of Service (DoS) condition in the RSS Feed Dashlet… | |||
| CVE-2026-29096 | 0.00 | — | 0.00 | Mar 19, 2026 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report (AOR_Reports module), the `field_function` parameter from POST data is saved directly into the… | |||
| CVE-2025-64493 | 0.00 | — | 0.00 | Nov 8, 2025 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0, there is an authenticated, blind (time-based) SQL-injection inside the appMetadata-operation of the GraphQL-API. This allows extraction of… | |||
| CVE-2025-64492 | 0.00 | — | 0.00 | Nov 8, 2025 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by… | |||
| CVE-2025-64491 | 0.00 | — | 0.00 | Nov 8, 2025 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and below allow unauthenticated reflected Cross-Site Scripting (XSS). Successful exploitation could lead to full account takeover, for example by altering… | |||
| CVE-2025-64490 | 0.00 | — | 0.00 | Nov 8, 2025 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 allow a low-privileged user with a restrictive role to view and create work items through the Resource Calendar and… | |||
| CVE-2025-64489 | 0.00 | — | 0.00 | Nov 8, 2025 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user sessions are not invalidated upon account deactivation. An… | |||
| CVE-2025-64488 | 0.00 | — | 0.00 | Nov 7, 2025 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.7 and below and 8.0.0-beta.1 through 8.9.0 8.0.0-beta.1, an attacker can craft a malicious call_id that alters the logic of the SQL query or injects… | |||
| CVE-2022-50590 | 0.00 | — | 0.00 | Nov 6, 2025 | SuiteCRM versions prior to 7.12.6 contain a type confusion vulnerability within the processing of the ‘module’ parameter within the ‘deleteAttachment’ functionality. Successful exploitation allows remote unauthenticated attackers to alter database objects including… | |||
| CVE-2022-50589 | 0.00 | — | 0.01 | Nov 6, 2025 | SuiteCRM versions prior to 7.12.6 contain a SQL injection vulnerability within the processing of the ‘uid’ parameter within the ‘export’ functionality. Successful exploitation allows remote unauthenticated attackers to ultimately execute arbitrary code. | |||
| CVE-2025-41384 | 0.00 | — | 0.00 | Oct 27, 2025 | Cross-Site Scripting (XSS) vulnerability reflected in SuiteCRM v7.14.1. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP Referer header to include an arbitrary domain with malicious JavaScript code at the end. The server will attempt to… | |||
| CVE-2025-54787 | 0.00 | — | 0.00 | Aug 7, 2025 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a vulnerability in SuiteCRM version 7.14.6 which allows unauthenticated downloads of any file from the upload-directory, as long as it is named by an ID (e.g.… | |||
| CVE-2025-54784 | 0.00 | — | 0.00 | Aug 7, 2025 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a Cross Site Scripting (XSS) vulnerability in the email viewer in versions 7.14.0 through 7.14.6. An external attacker could send a prepared message to the inbox of… | |||
| CVE-2025-54783 | 0.00 | — | 0.00 | Aug 7, 2025 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP… | |||
| CVE-2025-54788 | 0.00 | — | 0.00 | Aug 6, 2025 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions and below, the InboundEmail module allows the arbitrary execution of queries in the backend database, leading to SQL injection. This can have wide-reaching… | |||
| CVE-2025-54786 | 0.00 | — | 0.00 | Aug 6, 2025 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any… | |||
| CVE-2025-54785 | 0.00 | — | 0.00 | Aug 6, 2025 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, user-supplied input is not validated/sanitized before it is passed to the unserialize function, which could lead to penetration, privilege… | |||
| CVE-2022-45185 | 0.00 | — | 0.01 | Jan 7, 2025 | An issue was discovered in SuiteCRM 7.12.7. Authenticated users can use CRM functions to upload malicious files. Then, deserialization can be used to achieve code execution. | |||
| CVE-2022-45186 | 0.00 | — | 0.01 | Jan 7, 2025 | An issue was discovered in SuiteCRM 7.12.7. Authenticated users can recover an arbitrary field of a database. | |||
| CVE-2024-50335 | 0.00 | — | 0.00 | Nov 5, 2024 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. The "Publish Key" field in SuiteCRM's Edit Profile page is vulnerable to Reflected Cross-Site Scripting (XSS), allowing an attacker to inject malicious JavaScript code. This… | |||
| CVE-2024-50333 | 0.00 | — | 0.00 | Nov 5, 2024 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. User input is not validated and is written to the filesystem. The ParserLabel::addLabels() function can be used to write attacker-controlled data into the custom language… | |||
| CVE-2024-50332 | 0.00 | — | 0.00 | Nov 5, 2024 | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Insufficient input value validation causes Blind SQL injection in DeleteRelationShip. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to… |
- risk 0.51cvss 7.8epss 0.02
Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension.
- risk 0.46cvss 8.1epss 0.04
Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947.
- risk 0.46cvss 8.1epss 0.03
SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code.
- risk 0.39cvss 7.1epss 0.00
SuiteCRM 7.10.7 contains a time-based SQL injection vulnerability in the record parameter of the Users module DetailView action that allows authenticated attackers to manipulate database queries. Attackers can append SQL code to the record parameter in GET requests to the…
- risk 0.39cvss 7.1epss 0.00
SuiteCRM 7.10.7 contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the parentTab parameter. Attackers can send GET requests to the email module with malicious parentTab values using…
- CVE-2024-36412Jun 10, 2024risk 0.07cvss —epss 0.06
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
- CVE-2021-42840Oct 22, 2021risk 0.07cvss —epss 0.59
SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP…
- CVE-2020-28328Nov 6, 2020risk 0.07cvss —epss 0.64
SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled .php file under the web root.
- CVE-2024-36416Jun 10, 2024risk 0.04cvss —epss 0.02
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
- CVE-2022-23940Mar 7, 2022risk 0.04cvss —epss 0.54
SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a…
- CVE-2021-45897Jan 28, 2022risk 0.02cvss —epss 0.05
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows remote code execution.
- CVE-2021-45041Dec 19, 2021risk 0.01cvss —epss 0.02
SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving resource_id and start_date.
- CVE-2026-32697Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion…
- CVE-2026-29109Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator…
- CVE-2026-29108Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and…
- CVE-2026-33289Mar 19, 2026risk 0.00cvss —epss 0.01
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied…
- CVE-2026-33288Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails…
- CVE-2026-29189Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and…
- CVE-2026-29107Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, it is possible to create PDF templates with `` tags. When a PDF is exported using this template, the content (for example, `<img…
- CVE-2026-29106Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the value of the return_id request parameter is copied into the value of an HTML tag attribute which is an event handler and is…
- CVE-2026-29105Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an unauthenticated open redirect vulnerability in the WebToLead capture functionality. A user-supplied POST parameter…
- CVE-2026-29104Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an authenticated arbitrary file upload vulnerability in the Configurator module. An authenticated administrator can…
- CVE-2026-29103Mar 19, 2026risk 0.00cvss —epss 0.01
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Critical Remote Code Execution (RCE) vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allowing authenticated administrators to execute arbitrary system commands. This…
- CVE-2026-29102Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an Authenticated Remote Code Execution (RCE) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue.
- CVE-2026-29101Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue.
- CVE-2026-29100Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and…
- CVE-2026-29099Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter.…
- CVE-2026-29098Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the…
- CVE-2026-29097Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery (SSRF) vulnerability combined with a Denial of Service (DoS) condition in the RSS Feed Dashlet…
- CVE-2026-29096Mar 19, 2026risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report (AOR_Reports module), the `field_function` parameter from POST data is saved directly into the…
- CVE-2025-64493Nov 8, 2025risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0, there is an authenticated, blind (time-based) SQL-injection inside the appMetadata-operation of the GraphQL-API. This allows extraction of…
- CVE-2025-64492Nov 8, 2025risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by…
- CVE-2025-64491Nov 8, 2025risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and below allow unauthenticated reflected Cross-Site Scripting (XSS). Successful exploitation could lead to full account takeover, for example by altering…
- CVE-2025-64490Nov 8, 2025risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 allow a low-privileged user with a restrictive role to view and create work items through the Resource Calendar and…
- CVE-2025-64489Nov 8, 2025risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user sessions are not invalidated upon account deactivation. An…
- CVE-2025-64488Nov 7, 2025risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.7 and below and 8.0.0-beta.1 through 8.9.0 8.0.0-beta.1, an attacker can craft a malicious call_id that alters the logic of the SQL query or injects…
- CVE-2022-50590Nov 6, 2025risk 0.00cvss —epss 0.00
SuiteCRM versions prior to 7.12.6 contain a type confusion vulnerability within the processing of the ‘module’ parameter within the ‘deleteAttachment’ functionality. Successful exploitation allows remote unauthenticated attackers to alter database objects including…
- CVE-2022-50589Nov 6, 2025risk 0.00cvss —epss 0.01
SuiteCRM versions prior to 7.12.6 contain a SQL injection vulnerability within the processing of the ‘uid’ parameter within the ‘export’ functionality. Successful exploitation allows remote unauthenticated attackers to ultimately execute arbitrary code.
- CVE-2025-41384Oct 27, 2025risk 0.00cvss —epss 0.00
Cross-Site Scripting (XSS) vulnerability reflected in SuiteCRM v7.14.1. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP Referer header to include an arbitrary domain with malicious JavaScript code at the end. The server will attempt to…
- CVE-2025-54787Aug 7, 2025risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a vulnerability in SuiteCRM version 7.14.6 which allows unauthenticated downloads of any file from the upload-directory, as long as it is named by an ID (e.g.…
- CVE-2025-54784Aug 7, 2025risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a Cross Site Scripting (XSS) vulnerability in the email viewer in versions 7.14.0 through 7.14.6. An external attacker could send a prepared message to the inbox of…
- CVE-2025-54783Aug 7, 2025risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP…
- CVE-2025-54788Aug 6, 2025risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions and below, the InboundEmail module allows the arbitrary execution of queries in the backend database, leading to SQL injection. This can have wide-reaching…
- CVE-2025-54786Aug 6, 2025risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any…
- CVE-2025-54785Aug 6, 2025risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, user-supplied input is not validated/sanitized before it is passed to the unserialize function, which could lead to penetration, privilege…
- CVE-2022-45185Jan 7, 2025risk 0.00cvss —epss 0.01
An issue was discovered in SuiteCRM 7.12.7. Authenticated users can use CRM functions to upload malicious files. Then, deserialization can be used to achieve code execution.
- CVE-2022-45186Jan 7, 2025risk 0.00cvss —epss 0.01
An issue was discovered in SuiteCRM 7.12.7. Authenticated users can recover an arbitrary field of a database.
- CVE-2024-50335Nov 5, 2024risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. The "Publish Key" field in SuiteCRM's Edit Profile page is vulnerable to Reflected Cross-Site Scripting (XSS), allowing an attacker to inject malicious JavaScript code. This…
- CVE-2024-50333Nov 5, 2024risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. User input is not validated and is written to the filesystem. The ParserLabel::addLabels() function can be used to write attacker-controlled data into the custom language…
- CVE-2024-50332Nov 5, 2024risk 0.00cvss —epss 0.00
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Insufficient input value validation causes Blind SQL injection in DeleteRelationShip. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to…
Page 1 of 2