Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an unauthenticated open redirect vulnerability in the WebToLead capture functionality. A user-supplied POST parameter is used as a redirect destination without validation, allowing attackers to redirect victims to arbitrary external websites. This vulnerability allows attackers to abuse the trusted SuiteCRM domain for phishing and social engineering attacks by redirecting users to malicious external websites. Versions 7.15.1 and 8.9.3 patch the issue.
Published: 2026-03-19
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect that can be leveraged for phishing and social engineering
Action: Patch
AI Analysis

Impact

SuiteCRM’s WebToLead capture feature accepts a user‑supplied POST parameter and redirects the user without validating the target URL. This allows an attacker to send victims to arbitrary external sites, potentially facilitating phishing or other social‑engineering attacks. The vulnerability does not directly compromise data or execute code, but it enables the trusted domain to be abused as a launchpad for malicious traffic.

Affected Systems

The issue affects SuiteCRM installations running any version prior to 7.15.1 and 8.9.3. Administrators should verify the current release and apply the patch for the specific version in use.

Risk and Exploitability

The CVSS score of 5.4 places the vulnerability in the medium severity range. The EPSS score is below 1%, indicating a low likelihood of widespread exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is unauthenticated HTTP POST requests to the WebToLead endpoint, requiring no special privileges or credentials. When an attacker supplies a crafted URL, the system will redirect the victim automatically, enabling a phishing chain.

Generated by OpenCVE AI on March 24, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SuiteCRM to version 7.15.1 or 8.9.3, which contain the fixed redirect logic
  • If an immediate update is not possible, restrict the WebToLead POST endpoint to allow only internal redirects or validate the target URL against a whitelist
  • Apply a Web Application Firewall rule to block or flag automatic redirects to unknown external domains
  • Monitor access logs for abnormal redirect patterns and investigate suspicious POST activity

Generated by OpenCVE AI on March 24, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Suitecrm
Suitecrm suitecrm
Vendors & Products Suitecrm
Suitecrm suitecrm

Thu, 19 Mar 2026 23:15:00 +0000

Type Values Removed Values Added
Description SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an unauthenticated open redirect vulnerability in the WebToLead capture functionality. A user-supplied POST parameter is used as a redirect destination without validation, allowing attackers to redirect victims to arbitrary external websites. This vulnerability allows attackers to abuse the trusted SuiteCRM domain for phishing and social engineering attacks by redirecting users to malicious external websites. Versions 7.15.1 and 8.9.3 patch the issue.
Title SuiteCRM has Unauthenticated Open Redirect in Leads WebToLead Capture
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Suitecrm Suitecrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:09:24.064Z

Reserved: 2026-03-03T21:54:06.709Z

Link: CVE-2026-29105

cve-icon Vulnrichment

Updated: 2026-03-20T16:58:56.014Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T23:16:43.327

Modified: 2026-03-24T14:10:38.800

Link: CVE-2026-29105

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:10Z

Weaknesses