Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an authenticated arbitrary file upload vulnerability in the Configurator module. An authenticated administrator can bypass intended file type restrictions when uploading PDF font files, allowing arbitrary files with attacker‑controlled filenames to be written to the server. Although the upload directory is not directly web‑accessible by default, this behavior breaks security boundaries and may enable further attacks when combined with other vulnerabilities or in certain deployment configurations. Versions 7.15.1 and 8.9.3 patch the issue.
Published: 2026-03-19
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated arbitrary file upload
Action: Apply patch
AI Analysis

Impact

SuiteCRM versions prior to 7.15.1 and 8.9.3 allow an authenticated administrator in the Configurator module to bypass file type restrictions when uploading PDF font files, enabling the upload of arbitrary files with attacker‑controlled filenames to the server. This flaw constitutes an arbitrary file upload vulnerability (CWE‑434) that compromises data integrity and may assist in further attacks if the upload directory is accessed or misconfigured. The vulnerability does not provide immediate remote code execution but can undermine security boundaries and facilitate more serious exploits when combined with other weaknesses.

Affected Systems

The affected product is SuiteCRM, specifically installations running any version older than 7.15.1 or 8.9.3. The vendor responsible is SuiteCRM. No additional affected vendors or versions are listed.

Risk and Exploitability

The CVSS score of 2.7 indicates a low severity, and the EPSS score is less than 1%, suggesting a low probability of exploitation. It is not cataloged as a Known Exploited Vulnerability by CISA. Exploitation requires valid administrative credentials, as the attack vector is an authenticated administrator. While the upload path is not directly web‑accessible by default, the ability to write files to the server still breaks intended security boundaries and can support further attacks in certain deployment configurations.

Generated by OpenCVE AI on March 24, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SuiteCRM to version 7.15.1 or 8.9.3 to apply the vendor patch
  • If an immediate update is not possible, limit or disable the file upload capability for administrators
  • Ensure the upload directory is not accessible via the web and restrict file names to approved patterns
  • Monitor logs for unauthorized file uploads and validate uploaded files against expected formats

Generated by OpenCVE AI on March 24, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Suitecrm
Suitecrm suitecrm
Vendors & Products Suitecrm
Suitecrm suitecrm

Thu, 19 Mar 2026 23:15:00 +0000

Type Values Removed Values Added
Description SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an authenticated arbitrary file upload vulnerability in the Configurator module. An authenticated administrator can bypass intended file type restrictions when uploading PDF font files, allowing arbitrary files with attacker‑controlled filenames to be written to the server. Although the upload directory is not directly web‑accessible by default, this behavior breaks security boundaries and may enable further attacks when combined with other vulnerabilities or in certain deployment configurations. Versions 7.15.1 and 8.9.3 patch the issue.
Title SuiteCRM Vulnerable to Authenticated Arbitrary File Upload via Configurator addfontresult View in SuiteCRM
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Suitecrm Suitecrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-21T03:09:13.374Z

Reserved: 2026-03-03T21:54:06.709Z

Link: CVE-2026-29104

cve-icon Vulnrichment

Updated: 2026-03-21T03:09:02.452Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T23:16:43.147

Modified: 2026-03-24T14:18:28.777

Link: CVE-2026-29104

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:11Z

Weaknesses