Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery (SSRF) vulnerability combined with a Denial of Service (DoS) condition in the RSS Feed Dashlet component. Versions 7.15.1 and 8.9.3 patch the issue.
Published: 2026-03-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via SSRF
Action: Apply Patch
AI Analysis

Impact

The vulnerability is located in the RSS Feed Dashlet of SuiteCRM. It enables a Server‑Side Request Forgery that is coupled with a Denial of Service condition. An attacker can instruct the CRM server to retrieve arbitrary URLs, potentially accessing internal resources or exhausting network sockets and memory, which results in service interruption.

Affected Systems

SuiteCRM versions older than 7.15.1 and 8.9.3 are affected. The patch is available in those specific release versions.

Risk and Exploitability

The CVSS base score of 7.1 indicates high severity, while the EPSS score is below 1%, reflecting a relatively low current exploitation probability. It does not appear in the CISA KEV catalog. The likely attack vector would involve an attacker adding or modifying an RSS feed URL within the dashlet; this is inferred from the description and the nature of the component, as explicit authentication requirements are not stated in the advisory.

Generated by OpenCVE AI on March 24, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SuiteCRM to version 7.15.1 or 8.9.3, whichever applies to your installation.
  • Confirm that the RSS Feed Dashlet functions correctly after the upgrade to ensure the patch is active.
  • Enable logging for outbound HTTP requests from the CRM and review logs for unexpected activity.
  • Restrict access to the RSS Feed Dashlet to authorized users if possible to reduce attack surface.

Generated by OpenCVE AI on March 24, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Suitecrm
Suitecrm suitecrm
Vendors & Products Suitecrm
Suitecrm suitecrm

Thu, 19 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
References

Thu, 19 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery (SSRF) vulnerability combined with a Denial of Service (DoS) condition in the RSS Feed Dashlet component. Versions 7.15.1 and 8.9.3 patch the issue.
Title SuiteCRM Server-Side Request Forgery and Denial of Service via RSS Feed Dashlet
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:L/SI:N/SA:N'}

Subscriptions

Suitecrm Suitecrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-21T03:11:35.213Z

Reserved: 2026-03-03T21:54:06.708Z

Link: CVE-2026-29097

cve-icon Vulnrichment

Updated: 2026-03-21T03:11:30.080Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T23:16:41.580

Modified: 2026-03-24T14:49:18.087

Link: CVE-2026-29097

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:20Z

Weaknesses