Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the `$modules` and `$name` parameters. Both parameters later reach the `exportCustom` function in `modules/ModuleBuilder/MB/MBPackage.php` where they are both utilized in constructing s paths for file reading and writing. As such, it is possible for a user with access to the ModuleBuilder module, generally an administrator, to craft a request that can copy the content of any readable directory on the underlying host into the web root, making them readable. As the `ModuleBuilder` module is part of both major versions 7 and 8, both current major versions are affected. This vulnerability allows an attacker to copy any readable directory into the web root. This includes system files like the content of `/etc, or the root directory of the web server, potentially exposing secrets and environment variables. Versions 7.15.1 and 8.9.3 patch the issue.
Published: 2026-03-19
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Read Sensitive Files
Action: Apply Patch
AI Analysis

Impact

A path‑traversal weakness exists in the export custom functionality of SuiteCRM’s ModuleBuilder component. When a user supplies specially crafted names for the module and file parameters, the application constructs file paths without proper sanitization and copies the contents of any readable directory on the server into the web root. This allows an attacker who can reach the ModuleBuilder interface, typically an administrator, to expose sensitive files such as configuration data, environment variables, or even system files in /etc, by making them publicly accessible through the web application.

Affected Systems

Versions of SuiteCRM prior to 7.15.1 and 8.9.3 contain the vulnerability. Both the 7.x and 8.x branches have the export custom feature, so all releases up to 7.15.0 and 8.9.2 are affected. The issue was fixed in release 7.15.1 and 8.9.3, which patch the path‑traversal logic in the controller and export code.

Risk and Exploitability

The CVSS score of 4.9 signals moderate severity, and the EPSS probability below 1 % indicates rare exploitation. The flaw requires authenticated access to the SuiteCRM instance with permission to use ModuleBuilder; no additional network privileges are needed. Once an administrator can craft the export request, the attacker can place copies of any accessible directory into the publicly reachable web root, enabling information disclosure. Because the attack path is bounded to an existing feature, the vulnerability can be exploited easily by anyone with admin rights to the application.

Generated by OpenCVE AI on March 24, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SuiteCRM to version 7.15.1 or later, or 8.9.3 or later, to apply the official patch.
  • If a patch cannot be applied immediately, restrict ModuleBuilder access so that only trusted administrators can use it.
  • Verify that the web server is configured to deny direct access to files placed in the web root that are not intended to be public.
  • Monitor for any unexpected files appearing in the web root that may indicate exploitation.

Generated by OpenCVE AI on March 24, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Suitecrm
Suitecrm suitecrm
Vendors & Products Suitecrm
Suitecrm suitecrm

Thu, 19 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the `$modules` and `$name` parameters. Both parameters later reach the `exportCustom` function in `modules/ModuleBuilder/MB/MBPackage.php` where they are both utilized in constructing s paths for file reading and writing. As such, it is possible for a user with access to the ModuleBuilder module, generally an administrator, to craft a request that can copy the content of any readable directory on the underlying host into the web root, making them readable. As the `ModuleBuilder` module is part of both major versions 7 and 8, both current major versions are affected. This vulnerability allows an attacker to copy any readable directory into the web root. This includes system files like the content of `/etc, or the root directory of the web server, potentially exposing secrets and environment variables. Versions 7.15.1 and 8.9.3 patch the issue.
Title SuiteCRM has Relative Path Traversal via ModuleBuilder Modules ExportCustom Action
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Suitecrm Suitecrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T17:45:30.519Z

Reserved: 2026-03-03T21:54:06.708Z

Link: CVE-2026-29098

cve-icon Vulnrichment

Updated: 2026-03-20T17:43:57.701Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T23:16:41.747

Modified: 2026-03-24T14:48:30.840

Link: CVE-2026-29098

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:19Z

Weaknesses