CVE-2026-29096
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report (AOR_Reports module), the field_function parameter from POST data is saved directly into the aor_fields table without any validation. Later, when the report is executed/viewed, this value is concatenated directly into a SQL SELECT query without sanitization, enabling second-order SQL injection. Any authenticated user with Reports access can extract arbitrary database contents (password hashes, API tokens, config values). On MySQL with FILE privilege, this could lead to RCE via SELECT INTO OUTFILE. Versions 7.15.1 and 8.9.3 patch the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SuiteCRM | SuiteCRM | < 7.15.1 | affected |
| SuiteCRM | SuiteCRM | >= 8.0.0, < 8.9.3 | affected |
Weaknesses
- CWE-89: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-vh42-gmqm-q55m
- https://docs.suitecrm.com/admin/releases/7.15.x
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.