CVE-2026-29106
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2Tags
Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the value of the return_id request parameter is copied into the value of an HTML tag attribute which is an event handler and is encapsulated in double quotation marks. Versions 7.15.1 and 8.9.3 patch the issue. Users should also use a Content Security Policy (CSP) header to completely mitigate XSS.
Analysis
SuiteCRM versions prior to 7.15.1 and 8.9.3 contain a stored cross-site scripting (XSS) vulnerability in the return_id request parameter, which is insufficiently sanitized before being reflected into HTML event handler attributes. An authenticated attacker with high privileges can craft malicious payloads that execute arbitrary JavaScript in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today