Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

SuiteCRM — Vulnerabilities & Security Advisories 35

Browse all 35 CVE security advisories affecting SuiteCRM. AI-powered Chinese analysis, POCs, and references for each vulnerability.

SuiteCRM is an open-source customer relationship management platform designed to help organizations manage sales, marketing, and support interactions. Historically, its codebase has been associated with thirty-five recorded Common Vulnerabilities and Exposures, primarily stemming from insufficient input validation and inadequate access controls. The most prevalent vulnerability classes include remote code execution, cross-site scripting, and privilege escalation, often resulting from outdated PHP dependencies or improper session management. While the project maintains an active community, its open nature exposes source code to potential exploitation if patches are not promptly applied. Notable incidents have highlighted risks related to unauthenticated file uploads and SQL injection, emphasizing the critical need for rigorous security auditing. Organizations deploying this software must prioritize regular updates and strict configuration hardening to mitigate these inherent structural weaknesses and protect sensitive customer data from unauthorized access.

Top products by SuiteCRM: SuiteCRM SuiteCRM-Core
CVE IDTitleCVSSSeverityPublished
CVE-2019-25664 SuiteCRM 7.10.7 SQL Injection via record Parameter — SuiteCRMCWE-89 7.1 High2026-04-05
CVE-2019-25663 SuiteCRM 7.10.7 SQL Injection via parentTab Parameter — SuiteCRMCWE-89 7.1 High2026-04-05
CVE-2026-32697 SuiteCRM: RecordHandler::getRecord() missing ACLAccess('view') check allows any authenticated user to read any record (IDOR) — SuiteCRM-CoreCWE-639 6.5 Medium2026-03-19
CVE-2026-29109 SuiteCRM Authenticated Remote Code Execution via Unsafe Deserialization in SavedSearch Filter Processing — SuiteCRM-CoreCWE-502 7.2 -2026-03-19
CVE-2026-29108 Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User — SuiteCRM-CoreCWE-200 6.5 Medium2026-03-19
CVE-2026-33289 SuiterCRM has LDAP Filter Injection in Authentication Module — SuiteCRMCWE-90 8.8 High2026-03-19
CVE-2026-33288 SuiteCRM has Authenticated SQL Injection in Authentication Module — SuiteCRMCWE-89 8.8 High2026-03-19
CVE-2026-29189 SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints — SuiteCRMCWE-639 8.1 High2026-03-19
CVE-2026-29107 SuiteCRM vulnerable to authenticated SSRF via PDF export — SuiteCRMCWE-918 5.0 Medium2026-03-19
CVE-2026-29106 SuiteCRM has blind XSS in return_id parameter — SuiteCRMCWE-79 5.9 Medium2026-03-19
CVE-2026-29105 SuiteCRM has Unauthenticated Open Redirect in Leads WebToLead Capture — SuiteCRMCWE-601 5.4 Medium2026-03-19
CVE-2026-29104 SuiteCRM Vulnerable to Authenticated Arbitrary File Upload via Configurator addfontresult View in SuiteCRM — SuiteCRMCWE-434 2.7 Low2026-03-19
CVE-2026-29103 SuiteCRM Vulnerable to Remote Code Execution via Module Loader Package Scanner Bypass — SuiteCRMCWE-94 9.1 Critical2026-03-19
CVE-2026-29102 SuiteCRM has Authenticated RCE in Modules — SuiteCRMCWE-94 7.2 High2026-03-19
CVE-2026-29101 SuiteCRM Vulnerable to Directory Traversal to DoS in Modules — SuiteCRMCWE-23 4.9 Medium2026-03-19
CVE-2026-29100 SuiteCRM has Reflected HTML Injection in Login Page via default_user_name Parameter — SuiteCRMCWE-79 7.1 High2026-03-19
CVE-2026-29099 SuiteCRM has Authenticated Blind SQL Injection in OutboundEmail Legacy Functionality. — SuiteCRMCWE-89 8.8 High2026-03-19
CVE-2026-29098 SuiteCRM has Relative Path Traversal via ModuleBuilder Modules ExportCustom Action — SuiteCRMCWE-23 4.9 Medium2026-03-19
CVE-2026-29097 SuiteCRM Server-Side Request Forgery and Denial of Service via RSS Feed Dashlet — SuiteCRMCWE-918 6.5 -2026-03-19
CVE-2026-29096 SuiteCRM vulnerable to Authenticated SQL Injection via unsanitized field_function in Report Fields — SuiteCRMCWE-89 8.1 High2026-03-19
CVE-2025-64493 SuiteCRM is Vulnerable to Authenticated Blind SQL Injection via GraphQL — SuiteCRM-CoreCWE-89 6.5 Medium2025-11-08
CVE-2025-64492 SuiteCRM is Vulnerable to Authenticated Time Based Blind SQL Injection — SuiteCRM-CoreCWE-89 8.8 High2025-11-08
CVE-2025-64491 SuiteCRM is vulnerable to unauthenticated reflected XSS through its Login page — SuiteCRMCWE-79 6.1 Medium2025-11-08
CVE-2025-64490 SuiteCRM's Inconsistent RBAC Enforcement Enables Access Control Bypass — SuiteCRMCWE-863 8.3 High2025-11-08
CVE-2025-64489 SuiteCRM: Privilege Escalation via Improper Session Invalidation and Inactive User Bypass — SuiteCRMCWE-269 8.3 High2025-11-08
CVE-2025-64488 SuiteCRM: Authenticated SQL Injection Possible in Reschedule Call Module — SuiteCRMCWE-89 8.8 -2025-11-07
CVE-2022-50590 SuiteCRM < 7.12.6 Type Confusion via 'deleteAttachment' Functionality — SuiteCRMCWE-843 7.5 -2025-11-06
CVE-2022-50589 SuiteCRM < 7.12.6 SQL Injection via 'export' Functionality — SuiteCRMCWE-89 9.8 -2025-11-06
CVE-2025-41384 Reflected Cross-Site Scripting (XSS) in SuiteCRM — SuiteCRMCWE-79 6.1AIMediumAI2025-10-27
CVE-2025-54787 SuiteCRM: Improper Authorization for attachment downloads — SuiteCRMCWE-285 3.7 Low2025-08-07

This page lists every published CVE security advisory associated with SuiteCRM. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.