Skip to main content

PHP CVE-2026-29103

CRITICAL
Code Injection (CWE-94)
2026-03-19 GitHub_M
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 19, 2026 - 23:00 vuln.today
CVE Published
Mar 19, 2026 - 22:54 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Critical Remote Code Execution (RCE) vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allowing authenticated administrators to execute arbitrary system commands. This vulnerability is a direct Patch Bypass of CVE-2024-49774. Although the vendor attempted to fix the issue in version 7.14.5, the underlying flaw in ModuleScanner.php regarding PHP token parsing remains. The scanner incorrectly resets its internal state ($checkFunction flag) when encountering any single-character token (such as =, ., or ;). This allows attackers to hide dangerous function calls (e.g., system(), exec()) using variable assignments or string concatenation, completely evading the MLP security controls. Versions 7.15.1 and 8.9.3 patch the issue.

AnalysisAI

A critical remote code execution vulnerability in SuiteCRM versions 7.15.0 and 8.9.2 allows authenticated administrators to execute arbitrary system commands through a bypass of previous security patches. This vulnerability circumvents the ModuleScanner.php security controls by exploiting improper PHP token parsing that resets security checks when encountering single-character tokens, enabling attackers to hide dangerous function calls. The vulnerability represents a direct bypass of the previously patched CVE-2024-49774 and has been assigned a CVSS score of 9.1.

Technical ContextAI

SuiteCRM is an open-source enterprise Customer Relationship Management (CRM) application identified by CPE cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*. The vulnerability stems from CWE-94 (Improper Control of Generation of Code), specifically in the ModuleScanner.php component responsible for detecting dangerous PHP functions. The scanner's flawed token parsing logic incorrectly resets its internal $checkFunction flag when encountering any single-character token such as equals signs, periods, or semicolons, allowing attackers to obfuscate malicious function calls like system() or exec() through variable assignments or string concatenation techniques.

RemediationAI

Immediately upgrade SuiteCRM to version 7.15.1 or 8.9.3 or later, which contain the proper fix for this vulnerability as documented at https://docs.suitecrm.com/admin/releases/7.15.x. Until patching is complete, restrict administrative access to trusted users only and monitor administrator actions for suspicious command execution attempts. Given this is a patch bypass, organizations should verify their ModuleScanner.php implementation properly handles single-character tokens and consider implementing additional code execution monitoring at the system level.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-29103 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy