8.6
CVE-2026-29109 - SuiteCRM Authenticated Remote Code Execution via Unsafe Deserialization in SavedSearch Filter Proce…
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary…
6.5
CVE-2026-29108 - Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As …
8.8
CVE-2026-33289 - SuiterCRM has LDAP Filter Injection in Authentication Module
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied input before embedding i…
8.8
CVE-2026-33288 - SuiteCRM has Authenticated SQL Injection in Authentication Module
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize …
8.8
CVE-2026-32756 - Admidio: Unrestricted File Upload via CSRF Token Validation Bypass in Documents & Files Module
Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authent…
8.1
CVE-2026-29189 - SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and manipulate data they s…
5
CVE-2026-29107 - SuiteCRM vulnerable to authenticated SSRF via PDF export
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, it is possible to create PDF templates with `<img>` tags. When a PDF is exported using this template, the content (for example, `<img src=http://{burp_collab…
5.9
CVE-2026-29106 - SuiteCRM has blind XSS in return_id parameter
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the value of the return_id request parameter is copied into the value of an HTML tag attribute which is an event handler and is encapsulated in double quotat…
6.5
CVE-2026-32818 - Admidio is Missing Authorization on Forum Topic and Post Deletion
Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts. Both the topic_delete and post_delete actions in forum.php only validate the CSRF token but perfo…
5.4
CVE-2026-29105 - SuiteCRM has Unauthenticated Open Redirect in Leads WebToLead Capture
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an unauthenticated open redirect vulnerability in the WebToLead capture functionality. A user-supplied POST parameter is used as a redirect…