What is the CVSS score of CVE-2026-29097?

CVE-2026-29097 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Suitecrm are affected by CVE-2026-29097?

Organizations using SuiteCRM face notable risk from CVE-2026-29097, a server-side request forgery vulnerability rated CVSS 7.5.

How to fix or mitigate CVE-2026-29097?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Implement egress filtering and URL validation for server-side requests.

Suitecrm CVE-2026-29097

HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-03-19 GitHub_M

Denial Of Service SSRF Suitecrm

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 19, 2026 - 23:00 vuln.today

CVE Published

Mar 19, 2026 - 22:39 nvd

HIGH 7.5

DescriptionGitHub Advisory

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery (SSRF) vulnerability combined with a Denial of Service (DoS) condition in the RSS Feed Dashlet component. Versions 7.15.1 and 8.9.3 patch the issue.

AnalysisAI

The RSS Feed Dashlet in SuiteCRM versions before 7.15.1 and 8.9.3 is vulnerable to a server-side request forgery (SSRF) attack that can be exploited to trigger denial of service conditions. An unauthenticated remote attacker can leverage this vulnerability to disrupt service availability without requiring user interaction. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious RSS feed URL

Delivery

Submit to RSS Feed Dashlet

Exploit

Trigger SSRF request to internal resource

Execution

Exhaust server resources

Impact

Cause denial of service

Access

Craft malicious RSS feed URL

Delivery

Submit to RSS Feed Dashlet

Exploit

Trigger SSRF request to internal resource

Execution

Exhaust server resources

Impact

Cause denial of service

Vulnerability AssessmentAI

Exploitation	Remote unauthenticated attacker exploiting RSS Feed Dashlet component in SuiteCRM versions prior to 7.15.1 and 8.9.3. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Access to internal services, cloud metadata endpoints, or other resources not intended to be publicly accessible. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker provides a URL pointing to an internal service (e.g., http://169.254.169.254/latest/meta-data/) through a vulnerable parameter, causing the server to fetch and return internal data.
Remediation	Validate and whitelist allowed URLs and IP ranges. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 7 days: Identify all affected systems and apply vendor patches promptly. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-29097 vulnerability details – vuln.today

Back

Suitecrm CVE-2026-29097

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code