cbcvebase.

Suitecrm Suitecrm-Core vulnerabilities

6 known vulnerabilities affecting suitecrm/suitecrm-core.

Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM4

Vulnerabilities

Page 1 of 1
CVE-2025-64492P3HIGHCVSS 8.8fixed in 8.9.12025-11-08
CVE-2025-64492 [HIGH] CWE-89 CVE-2025-64492: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by measuring response times, potentially leading to the extraction of sensitive inf
nvd
CVE-2026-29109P3HIGHCVSS 7.2fixed in 8.9.32026-03-20
CVE-2026-29109 [HIGH] CWE-502 CVE-2026-29109: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the server. `FilterDefinitionProvi
nvd
CVE-2025-64493P3MEDIUMCVSS 6.5v>= 8.6.0, < 8.9.12025-11-08
CVE-2025-64493 [MEDIUM] CWE-89 CVE-2025-64493: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0, there is an authenticated, blind (time-based) SQL-injection inside the appMetadata-operation of the GraphQL-API. This allows extraction of arbitrary data from the database, and does not require administrative acce
nvd
CVE-2026-29108P3MEDIUMCVSS 6.5fixed in 8.9.32026-03-20
CVE-2026-29108 [MEDIUM] CWE-200 CVE-2026-29108: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's
nvd
CVE-2026-32697P3MEDIUMCVSS 6.5fixed in 8.9.32026-03-20
CVE-2026-32697 [MEDIUM] CWE-639 CVE-2026-32697: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion `saveRecord()` method correctly checks `$bean->ACLAccess('save')`, but
nvd
CVE-2025-54786P4MEDIUMCVSS 5.3v>= 8.8.0, < 8.8.1v>= 7.14.6, < 7.14.72025-08-07
CVE-2025-54786 [MEDIUM] CWE-200 CVE-2025-54786: SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software applica SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's meeting (calendar event) data given their username, related functional
nvd
Suitecrm Suitecrm-Core vulnerabilities | cvebase