Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an Authenticated Remote Code Execution (RCE) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue.
Published: 2026-03-19
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An authenticated Remote Code Execution vulnerability exists in SuiteCRM modules. The flaw allows an attacker who can authenticate to the application to inject and execute arbitrary code on the server, compromising confidentiality, integrity, and availability for the application and its data.

Affected Systems

The affected product is SuiteCRM. Versions released before 7.15.1 and 8.9.3 contain the vulnerability. Any installation running those older releases is susceptible.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, while an EPSS score below 1% suggests exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated remote access; an attacker who can log in and access the vulnerable module can trigger code execution.

Generated by OpenCVE AI on March 24, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify which SuiteCRM version is installed on each server.
  • If the version is earlier than the patched releases 7.15.1 or 8.9.3, upgrade to the patched version or a newer release.
  • After upgrading, confirm that the vulnerable modules are removed or properly configured, ensuring legacy code paths do not remain.

Generated by OpenCVE AI on March 24, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Suitecrm
Suitecrm suitecrm
Vendors & Products Suitecrm
Suitecrm suitecrm

Thu, 19 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an Authenticated Remote Code Execution (RCE) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue.
Title SuiteCRM has Authenticated RCE in Modules
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Suitecrm Suitecrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T15:00:25.674Z

Reserved: 2026-03-03T21:54:06.708Z

Link: CVE-2026-29102

cve-icon Vulnrichment

Updated: 2026-03-20T15:00:22.927Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T23:16:42.807

Modified: 2026-03-24T14:29:12.233

Link: CVE-2026-29102

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:13Z

Weaknesses