6.5
CVE-2026-32758 - File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler (http/resource.go). The destination path in resourcePatchHandler is vaβ¦
8.2
CVE-2026-32763 - SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kβ¦
Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The `visitJSONPathLeg()` function appends user-controlled values from `.key()` and `.at()` directly into single-quoted Jβ¦
6.5
CVE-2026-32697 - SuiteCRM: RecordHandler::getRecord() missing ACLAccess('view') check allows any authenticated user β¦
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion `saveRecord()` methβ¦
5.4
CVE-2026-32757 - Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection
Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $_POST['ecard_message'] value instead of the HTMLPurifier-sanitized $formValues['ecard_message'] when constructing the greeting card HTML. This allows an authenticated attacker to injeβ¦
8.6
CVE-2026-29109 - SuiteCRM Authenticated Remote Code Execution via Unsafe Deserialization in SavedSearch Filter Proceβ¦
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitraryβ¦
6.5
CVE-2026-29108 - Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As β¦
8.8
CVE-2026-33289 - SuiterCRM has LDAP Filter Injection in Authentication Module
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied input before embedding iβ¦
8.8
CVE-2026-33288 - SuiteCRM has Authenticated SQL Injection in Authentication Module
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize β¦
8.8
CVE-2026-32756 - Admidio: Unrestricted File Upload via CSRF Token Validation Bypass in Documents & Files Module
Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authentβ¦
8.1
CVE-2026-29189 - SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and manipulate data they sβ¦