Description
SuiteCRM 7.10.7 contains a time-based SQL injection vulnerability in the record parameter of the Users module DetailView action that allows authenticated attackers to manipulate database queries. Attackers can append SQL code to the record parameter in GET requests to the index.php endpoint to extract sensitive database information through time-based blind SQL injection techniques.
Published: 2026-04-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exfiltration via SQL Injection
Action: Immediate Patch
AI Analysis

Impact

SuiteCRM 7.10.7 is vulnerable to a time‑based blind SQL injection in the Users module DetailView action. An authenticated user can inject SQL code into the record parameter of GET requests to index.php. The injected statements delay the database response, enabling an attacker to glean sensitive database contents without directly observing output. The vulnerability allows unauthorized extraction of confidential data stored in the database, potentially compromising data integrity and confidentiality.

Affected Systems

SuiteCRM version 7.10.7. The affected product is SuiteCRM’s Users module accessed via the DetailView action when authenticated. No other product versions or vendors are listed.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. While EPSS data is not available, the lack of official exploitation reports and the absence from the KEV catalog reduce immediate exploitation likelihood, yet the requirement for authentication means the attack vector is internal or limited to compromised user accounts. Compared to public or remote exploits, the risk remains significant for organizations using this version.

Generated by OpenCVE AI on April 5, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SuiteCRM to a version newer than 7.10.7, such as 7.11 or later, where this issue is fixed
  • Ensure that only trusted authenticated users have access to the Users module DetailView action
  • Verify that the record parameter is properly sanitized in any custom code or extensions

Generated by OpenCVE AI on April 5, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:salesagility:suitecrm:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Suitecrm
Suitecrm suitecrm
Vendors & Products Suitecrm
Suitecrm suitecrm

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description SuiteCRM 7.10.7 contains a time-based SQL injection vulnerability in the record parameter of the Users module DetailView action that allows authenticated attackers to manipulate database queries. Attackers can append SQL code to the record parameter in GET requests to the index.php endpoint to extract sensitive database information through time-based blind SQL injection techniques.
Title SuiteCRM 7.10.7 SQL Injection via record Parameter
First Time appeared Salesagility
Salesagility suitecrm
Weaknesses CWE-89
CPEs cpe:2.3:a:salesagility:suitecrm:7.10.7:*:*:*:*:*:*:*
Vendors & Products Salesagility
Salesagility suitecrm
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Salesagility Suitecrm
Suitecrm Suitecrm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T18:10:46.744Z

Reserved: 2026-04-05T13:03:22.415Z

Link: CVE-2019-25664

cve-icon Vulnrichment

Updated: 2026-04-06T18:10:41.334Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-05T21:16:43.570

Modified: 2026-04-20T18:11:18.097

Link: CVE-2019-25664

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:48:44Z

Weaknesses