PHP
CVE-2026-29109
HIGH
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the server. FilterDefinitionProvider.php calls unserialize() on user-controlled data from the saved_search.contents database column without restricting instantiable classes. Version 8.9.3 patches the issue.
AnalysisAI
Unsafe deserialization in SuiteCRM versions up to 8.9.2 allows authenticated administrators to execute arbitrary system commands on the server through the SavedSearch filter processing component. The vulnerability stems from improper handling of unserialized data in the FilterDefinitionProvider.php file, which fails to restrict instantiable classes when processing user-controlled input from the database. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires authenticated administrator access to SuiteCRM versions 8.9.2 and earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Remote code execution, denial of service, or authentication bypass through manipulation of serialized object state. Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker modifies a serialized object (e.g., in a cookie or API parameter) to include malicious payloads that execute during the deserialization process. |
| Remediation | Avoid deserializing untrusted data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 7 days: Identify all affected systems and apply vendor patches promptly. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today