SuiteCRM/SuiteCRM-Core

GitHub

github.com

www.suitecrm.com

Releases45

Frequency1 month 1 week

Last Release about 1 month ago

Stars265

SuiteCRM - Open source CRM for the world

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-29109 ↗	Mar 20, 2026Friday, 20 March 2026, 00:16	7.2 HIGH	—
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the server. `FilterDefinitionProvider.php` calls `unserialize()` on user-controlled data from the `saved_search.contents` database column without restricting instantiable classes. Version 8.9.3 patches the issue.
CVE-2026-32697 ↗	Mar 20, 2026Friday, 20 March 2026, 00:16	6.5 MEDIUM	—
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion `saveRecord()` method correctly checks `$bean->ACLAccess('save')`, but `getRecord()` skips the equivalent `ACLAccess('view')` check. Version 8.9.3 patches the issue.
CVE-2026-29108 ↗	Mar 20, 2026Friday, 20 March 2026, 00:16	6.5 MEDIUM	—
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue.
CVE-2025-64492 ↗	Nov 8, 2025Saturday, 8 November 2025, 02:15	8.8 HIGH	—
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by measuring response times, potentially leading to the extraction of sensitive information. It is possible for an attacker to enumerate database, table, and column names, extract sensitive data, or escalate privileges. This is fixed in version 8.9.1.
CVE-2025-64493 ↗	Nov 8, 2025Saturday, 8 November 2025, 02:15	6.5 MEDIUM	—
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0, there is an authenticated, blind (time-based) SQL-injection inside the appMetadata-operation of the GraphQL-API. This allows extraction of arbitrary data from the database, and does not require administrative access. This issue is fixed in version 8.9.1.
CVE-2025-64489 ↗	Nov 8, 2025Saturday, 8 November 2025, 01:15	8.3 HIGH	—
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 contain a privilege escalation vulnerability where user sessions are not invalidated upon account deactivation. An inactive user with an active session can continue to access the application and, critically, can self-reactivate their account. This undermines administrative controls and allows unauthorized persistence. This issue is fixed in versions 7.14.8 and 8.9.1.
CVE-2025-64488 ↗	Nov 8, 2025Saturday, 8 November 2025, 00:15	8.8 HIGH	—
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.7 and below and 8.0.0-beta.1 through 8.9.0 8.0.0-beta.1, an attacker can craft a malicious call_id that alters the logic of the SQL query or injects arbitrary SQL. An attack can lead to unauthorized data access and data ex-filtration, complete database compromise, and other various issues. This issue is fixed in versions 7.14.8 and 8.9.1.
CVE-2025-54786 ↗	Aug 7, 2025Thursday, 7 August 2025, 00:15	5.3 MEDIUM	—
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's meeting (calendar event) data given their username, related functionality allows user enumeration. This is fixed in versions 7.14.7 and 8.8.1.
CVE-2024-36419 ↗	Jun 10, 2024Monday, 10 June 2024, 22:15	4.3 MEDIUM	—
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the `/legacy` route. Version 8.6.1 contains a patch for the issue.
CVE-2023-47643 ↗	Nov 21, 2023Tuesday, 21 November 2023, 20:15	3.1 LOW	—
SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds.
CVE-2023-3627 ↗	Jul 11, 2023Tuesday, 11 July 2023, 17:15	8.8 HIGH	—
Cross-Site Request Forgery (CSRF) in GitHub repository salesagility/suitecrm-core prior to 8.3.1.
CVE-2023-3293 ↗	Jun 16, 2023Friday, 16 June 2023, 11:15	4.8 MEDIUM	—
Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm-core prior to 8.3.0.