Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

SuiteCRM — Vulnerabilities & Security Advisories 51

All 51 CVE vulnerabilities found in SuiteCRM, with AI-generated Chinese analysis, references, and POCs.

This page documents known security vulnerabilities, specifically Common Weakness Enumeration (CWE) weaknesses, affecting the SuiteCRM product. It aggregates data on various flaw categories including injection errors, cross-site scripting issues, and improper access control mechanisms found within the software’s codebase or configuration. The collection covers disclosed vulnerabilities from their initial public announcement up to the most recent updates, providing a comprehensive historical timeline of security incidents. Readers can use this resource to track Oracle and SuiteCRM’s advisory releases, understand the broader implications of specific vulnerability classes in CRM environments, and investigate the complete vulnerability history associated with SuiteCRM deployments. This information supports security teams in prioritizing patches, assessing risk exposure, and maintaining compliance with organizational security policies. The data is organized to facilitate easy navigation by weakness type, release version, or disclosure date, ensuring that developers and administrators can quickly locate relevant details. By centralizing these records, the page aims to improve transparency and streamline the remediation process for stakeholders involved in SuiteCRM maintenance and security auditing.

Vendor: salesagility

CVE IDTitleCVSSSeverityPublished
CVE-2019-25664 SuiteCRM 7.10.7 SQL Injection via record Parameter CWE-89 7.1 High2026-04-05
CVE-2019-25663 SuiteCRM 7.10.7 SQL Injection via parentTab Parameter CWE-89 7.1 High2026-04-05
CVE-2026-33289 SuiterCRM has LDAP Filter Injection in Authentication Module CWE-90 8.8 High2026-03-19
CVE-2026-33288 SuiteCRM has Authenticated SQL Injection in Authentication Module CWE-89 8.8 High2026-03-19
CVE-2026-29189 SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints CWE-639 8.1 High2026-03-19
CVE-2026-29107 SuiteCRM vulnerable to authenticated SSRF via PDF export CWE-918 5.0 Medium2026-03-19
CVE-2026-29106 SuiteCRM has blind XSS in return_id parameter CWE-79 5.9 Medium2026-03-19
CVE-2026-29105 SuiteCRM has Unauthenticated Open Redirect in Leads WebToLead Capture CWE-601 5.4 Medium2026-03-19
CVE-2026-29104 SuiteCRM Vulnerable to Authenticated Arbitrary File Upload via Configurator addfontresult View in SuiteCRM CWE-434 2.7 Low2026-03-19
CVE-2026-29103 SuiteCRM Vulnerable to Remote Code Execution via Module Loader Package Scanner Bypass CWE-94 9.1 Critical2026-03-19
CVE-2026-29102 SuiteCRM has Authenticated RCE in Modules CWE-94 7.2 High2026-03-19
CVE-2026-29101 SuiteCRM Vulnerable to Directory Traversal to DoS in Modules CWE-23 4.9 Medium2026-03-19
CVE-2026-29100 SuiteCRM has Reflected HTML Injection in Login Page via default_user_name Parameter CWE-79 7.1 High2026-03-19
CVE-2026-29099 SuiteCRM has Authenticated Blind SQL Injection in OutboundEmail Legacy Functionality. CWE-89 8.8 High2026-03-19
CVE-2026-29098 SuiteCRM has Relative Path Traversal via ModuleBuilder Modules ExportCustom Action CWE-23 4.9 Medium2026-03-19
CVE-2026-29097 SuiteCRM Server-Side Request Forgery and Denial of Service via RSS Feed Dashlet CWE-918 6.5 -2026-03-19
CVE-2026-29096 SuiteCRM vulnerable to Authenticated SQL Injection via unsanitized field_function in Report Fields CWE-89 8.1 High2026-03-19
CVE-2025-64491 SuiteCRM is vulnerable to unauthenticated reflected XSS through its Login page CWE-79 6.1 Medium2025-11-08
CVE-2025-64490 SuiteCRM's Inconsistent RBAC Enforcement Enables Access Control Bypass CWE-863 8.3 High2025-11-08
CVE-2025-64489 SuiteCRM: Privilege Escalation via Improper Session Invalidation and Inactive User Bypass CWE-269 8.3 High2025-11-08
CVE-2025-64488 SuiteCRM: Authenticated SQL Injection Possible in Reschedule Call Module CWE-89 8.8 -2025-11-07
CVE-2022-50590 SuiteCRM < 7.12.6 Type Confusion via 'deleteAttachment' Functionality CWE-843 7.5 -2025-11-06
CVE-2022-50589 SuiteCRM < 7.12.6 SQL Injection via 'export' Functionality CWE-89 9.8 -2025-11-06
CVE-2025-41384 Reflected Cross-Site Scripting (XSS) in SuiteCRM CWE-79 6.1AIMediumAI2025-10-27
CVE-2025-54787 SuiteCRM: Improper Authorization for attachment downloads CWE-285 3.7 Low2025-08-07
CVE-2025-54784 SuiteCRM is vulnerable to Cross Site Scripting (XSS) through its email viewer CWE-79 8.8AIHighAI2025-08-07
CVE-2025-54783 SuiteCRM: Reflected Cross Site Scripting (XSS) through HTTP Referrer header CWE-79 6.1AIMediumAI2025-08-07
CVE-2025-54788 SuiteCRM: Authenticated Blind SQL Injection in InboundEmail module CWE-89 8.8 High2025-08-06
CVE-2025-54785 SuiteCRM is Vulnerable to PHP Object Injection in Reports CWE-20 8.8 High2025-08-06
CVE-2024-50335 Authenticated XSS in "Publish Key" Field Allowing Unauthorized Administrator User Creation in SuiteCRM CWE-79 4.9 Medium2024-11-05

All 51 known CVE vulnerabilities affecting SuiteCRM with full Chinese analysis, references, and POCs where available.