CVE-2026-29099

Summary

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the retrieve() function in include/OutboundEmail/OutboundEmail.php fails to properly neutralize the user controlled $id parameter. It is assumed that the function calling retrieve() will appropriately quote and sanitize the user input. However, two locations have been identified that can be reached through the EmailUIAjax action on the Email() module where this is not the case. As such, it is possible for an authenticated user to perform SQL injection through the retrieve() function. This affects the latest major versions 7.15 and 8.9. As there do not appear to be restrictions on which tables can be called, it would be possible for an attacker to retrieve arbitrary information from the database, including user information and password hashes. Versions 7.15.1 and 8.9.3 patch the issue.

Affected Software

VendorProductVersion RangeStatus
SuiteCRMSuiteCRM< 7.15.1affected
SuiteCRMSuiteCRM>= 8.0.0, < 8.9.3affected

Weaknesses

  • CWE-89: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References