Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue.
Published: 2026-03-19
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A directory traversal weakness in SuiteCRM modules allows an attacker to send crafted requests that can potentially overload the application, leading to a denial of service. The vulnerability is a classic path traversal issue (CWE-23) and can disrupt normal operation by exhausting resources or triggering application errors.

Affected Systems

All installations of SuiteCRM prior to version 7.15.1 and prior to version 8.9.3 are vulnerable. This includes the 7.x and 8.x major releases that have not been updated to the referenced patch levels. Users running the older releases should verify the major version and apply the corresponding fix.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, indicating no known active exploits. Attackers would need to execute crafted web requests against the vulnerable modules; remote exploitation is inferred from the nature of the issue, though no confirmed public exploit exists. Overall, the risk is modest, but proactive remediation is recommended to avoid potential service disruption.

Generated by OpenCVE AI on March 24, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SuiteCRM to version 7.15.1 or later, or to version 8.9.3 or later, to apply the official patch
  • If an update cannot be performed immediately, temporarily block or rate‑limit access to the affected modules to mitigate DoS risk
  • Monitor web server and application logs for abnormal request patterns that may indicate attempts to exploit the directory traversal path

Generated by OpenCVE AI on March 24, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Suitecrm
Suitecrm suitecrm
Vendors & Products Suitecrm
Suitecrm suitecrm

Thu, 19 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue.
Title SuiteCRM Vulnerable to Directory Traversal to DoS in Modules
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Suitecrm Suitecrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:09:29.978Z

Reserved: 2026-03-03T21:54:06.708Z

Link: CVE-2026-29101

cve-icon Vulnrichment

Updated: 2026-03-20T16:59:44.533Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T23:16:42.637

Modified: 2026-03-24T14:33:57.507

Link: CVE-2026-29101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:15Z

Weaknesses