{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29096", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T21:54:06.708Z", "datePublished": "2026-03-19T22:37:51.208Z", "dateUpdated": "2026-03-19T22:44:51.372Z"}, "containers": {"cna": {"title": "SuiteCRM vulnerable to Authenticated SQL Injection via unsanitized field_function in Report Fields", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-vh42-gmqm-q55m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-vh42-gmqm-q55m"}, {"name": "https://docs.suitecrm.com/admin/releases/7.15.x", "tags": ["x_refsource_MISC"], "url": "https://docs.suitecrm.com/admin/releases/7.15.x"}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM", "versions": [{"version": "< 7.15.1", "status": "affected"}, {"version": ">= 8.0.0, < 8.9.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:44:51.372Z"}, "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report (AOR_Reports module), the `field_function` parameter from POST data is saved directly into the `aor_fields` table without any validation. Later, when the report is executed/viewed, this value is concatenated directly into a SQL SELECT query without sanitization, enabling second-order SQL injection. Any authenticated user with Reports access can extract arbitrary database contents (password hashes, API tokens, config values). On MySQL with FILE privilege, this could lead to RCE via SELECT INTO OUTFILE. Versions 7.15.1 and 8.9.3 patch the issue."}], "source": {"advisory": "GHSA-vh42-gmqm-q55m", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report (AOR_Reports module), the `field_function` parameter from POST data is saved directly into the `aor_fields` table without any validation. Later, when the report is executed/viewed, this value is concatenated directly into a SQL SELECT query without sanitization, enabling second-order SQL injection. Any authenticated user with Reports access can extract arbitrary database contents (password hashes, API tokens, config values). On MySQL with FILE privilege, this could lead to RCE via SELECT INTO OUTFILE. Versions 7.15.1 and 8.9.3 patch the issue."}], "id": "CVE-2026-29096", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T23:16:41.407", "references": [{"source": "security-advisories@github.com", "url": "https://docs.suitecrm.com/admin/releases/7.15.x"}, {"source": "security-advisories@github.com", "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-vh42-gmqm-q55m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.15.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.9.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SuiteCRM", "source": "cna", "vendor": "SuiteCRM"}, "product": "suitecrm", "vendor": "suitecrm"}], "analysis": {"en": {"generated_at": "2026-03-19T23:20:32.058291+00:00", "value": {"mitigation_remediation": ["Upgrade SuiteCRM to version 7.15.1 or 8.9.3 (or later) to apply the official fix.", "If an upgrade is not immediately possible, restrict or remove Reports module access for non\u2011trusted users to prevent exploitation.", "Consider disabling the FILE privilege for the database user to block potential SELECT INTO OUTFILE attacks.", "Monitor database queries and application logs for anomalous SELECT statements that might indicate exploitation."], "summary": {"action": "Apply Patch", "impact": "SQL Injection \u2013 data extraction and potential RCE"}, "threat_synthesis": {"affected_systems": "Affected versions are the SuiteCRM open\u2011source platform prior to 7.15.1 and 8.9.3. The issue is limited to the AOR_Reports module used for report creation and execution. All installations that allow authenticated users to access Reports are at risk until they upgrade to the patched releases.", "description_and_impact": "The vulnerability arises when the field_function parameter submitted via POST during report creation or editing is stored without validation and later interpolated directly into a SQL SELECT statement. This second\u2011order SQL injection allows an authenticated user with Reports access to retrieve arbitrary database contents such as password hashes, API tokens, and configuration values. On MySQL installations that grant the FILE privilege, the attacker could further exploit a SELECT INTO OUTFILE construct to write files to disk, potentially leading to remote code execution. The weakness is a classic CWE\u201189 Injection. The CVSS base score is 8.1.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity, with no EPSS data available but likely exploitation due to the ease of injection once a user has Reports access. The vulnerability is not listed in the CISA KEV catalog, implying it is not known to be actively exploited in the wild. Attackers must authenticate to the platform and possess Reports privileges; however, the cross\u2011database access afforded by the injection can compromise entire systems. Because the flaw leverages a normal CMS feature, the attack vector is bypassing input validation rather than an external network trigger."}}}}, "created": "2026-03-20T08:54:40.695619+00:00", "updated": "2026-03-20T10:44:08.921582+00:00", "vendors": ["suitecrm", "suitecrm$PRODUCT$suitecrm"]}