Description
SuiteCRM 7.10.7 contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the parentTab parameter. Attackers can send GET requests to the email module with malicious parentTab values using boolean-based SQL injection techniques to extract sensitive database information.
Published: 2026-04-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection enabling data extraction
Action: Immediate Patch
AI Analysis

Impact

SuiteCRM version 7.10.7 contains a SQL injection flaw where the parentTab parameter can be manipulated by authenticated users. By sending crafted GET requests to the email module, attackers can inject Boolean-based SQL fragments and retrieve sensitive database content. The primary impact is unauthorized disclosure of data and potential compromise of database integrity.

Affected Systems

The vulnerability affects installations running SuiteCRM 7.10.7. Any deployment of this product that exposes the email module and allows authenticated access to the parentTab parameter is susceptible.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, but exploit probability data (EPSS) is unavailable and the vulnerability is not listed in the KEV catalog, suggesting limited public exploitation to date. The attack requires authentication and is performed via a web-based GET request, making it accessible to attackers who can reach the email module endpoint.

Generated by OpenCVE AI on April 5, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest SuiteCRM release that contains the fix for the parentTab SQL injection flaw.
  • Restrict or disable access to the email module for unauthenticated users and limit permission scopes for authenticated accounts.
  • Ensure database accounts used by SuiteCRM have the least privilege required for application operation.
  • Monitor application logs for suspicious query patterns involving the parentTab parameter.
  • Apply general input validation and sanitization best practices for any user-supplied parameters.

Generated by OpenCVE AI on April 5, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Suitecrm
Suitecrm suitecrm
Vendors & Products Suitecrm
Suitecrm suitecrm

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description SuiteCRM 7.10.7 contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the parentTab parameter. Attackers can send GET requests to the email module with malicious parentTab values using boolean-based SQL injection techniques to extract sensitive database information.
Title SuiteCRM 7.10.7 SQL Injection via parentTab Parameter
First Time appeared Salesagility
Salesagility suitecrm
Weaknesses CWE-89
CPEs cpe:2.3:a:salesagility:suitecrm:7.10.7:*:*:*:*:*:*:*
Vendors & Products Salesagility
Salesagility suitecrm
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Salesagility Suitecrm
Suitecrm Suitecrm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T15:27:46.638Z

Reserved: 2026-04-05T13:01:18.962Z

Link: CVE-2019-25663

cve-icon Vulnrichment

Updated: 2026-04-06T15:08:18.265Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-05T21:16:43.393

Modified: 2026-04-20T18:11:50.063

Link: CVE-2019-25663

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:56:14Z

Weaknesses