What is the CVSS score of CVE-2026-29096?

CVE-2026-29096 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Suitecrm are affected by CVE-2026-29096?

SuiteCRM versions prior to 7.15.1 and 8.9.3 contain a critical SQL injection vulnerability in the Reports module that allows authenticated users to extract sensitive data including password hashes,…

How to fix or mitigate CVE-2026-29096?

Within 24 hours: Identify all SuiteCRM instances and their versions; restrict Reports module access to only critical administrators pending remediation; enable database access logging to detect exploitation attempts. Within 7 days: Contact SuiteCRM vendor for patched versions (7.15.1 or 8.9.3) or interim security updates; plan and test patch deployment in a staging environment. Within 30 days: Deploy patches to all production SuiteCRM instances; conduct forensic review of database access logs for suspicious query activity; reset all database credentials and API tokens as a precaution.

Suitecrm CVE-2026-29096

HIGH

SQL Injection (CWE-89)

2026-03-19 GitHub_M

SQLi Suitecrm

8.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 19, 2026 - 23:00 vuln.today

CVE Published

Mar 19, 2026 - 22:37 nvd

HIGH 8.1

DescriptionGitHub Advisory

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report (AOR_Reports module), the field_function parameter from POST data is saved directly into the aor_fields table without any validation. Later, when the report is executed/viewed, this value is concatenated directly into a SQL SELECT query without sanitization, enabling second-order SQL injection. Any authenticated user with Reports access can extract arbitrary database contents (password hashes, API tokens, config values). On MySQL with FILE privilege, this could lead to RCE via SELECT INTO OUTFILE. Versions 7.15.1 and 8.9.3 patch the issue.

AnalysisAI

A second-order SQL injection vulnerability exists in the Reports module of SuiteCRM, allowing authenticated users with reporting privileges to execute arbitrary SQL queries when viewing reports. The vulnerability affects SuiteCRM versions before 7.15.1 and 8.9.3, enabling attackers to extract sensitive database contents including password hashes, API tokens, and configuration values, with potential for remote code execution on MySQL installations with FILE privileges. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as user with Reports access

Delivery

Submit crafted POST to create/edit AOR_Reports

Exploit

Store malicious SQL in field_function parameter

Execution

Execute report to trigger SQL injection

Impact

Extract database contents including credentials