What is the CVSS score of CVE-2026-33288?

CVE-2026-33288 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Suitecrm are affected by CVE-2026-33288?

SuiteCRM deployments with directory authentication enabled are vulnerable to SQL injection attacks that allow low-privileged users to escalate to administrator access.

How to fix or mitigate CVE-2026-33288?

Within 24 hours: inventory all SuiteCRM instances and confirm which have directory support enabled; disable directory authentication if operationally feasible and document the decision. Within 7 days: implement WAF rules to block SQL injection patterns in authentication requests and restrict network access to SuiteCRM to trusted IP ranges only. Within 30 days: plan and execute upgrade to patched versions (7.15.1 or 8.9.3 or later) or migrate to an alternative CRM solution; establish a change control process for the upgrade.

Suitecrm CVE-2026-33288

HIGH

SQL Injection (CWE-89)

2026-03-20 security-advisories@github.com

Privilege Escalation SQLi Suitecrm

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 20, 2026 - 00:30 vuln.today

CVE Published

Mar 20, 2026 - 00:16 nvd

HIGH 8.8

DescriptionGitHub Advisory

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue.

AnalysisAI

SQL injection in SuiteCRM's authentication layer when directory support is enabled allows authenticated attackers with low-privilege directory credentials to execute arbitrary SQL commands and escalate privileges to administrator level. The vulnerability stems from insufficient input sanitization of usernames in local database queries. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate with low-privilege directory credentials

Delivery

Submit SQL injection payload in username field

Exploit

Bypass authentication query sanitization

Execution

Execute arbitrary SQL commands

Impact

Escalate privileges to administrator account

Access

Authenticate with low-privilege directory credentials

Delivery

Submit SQL injection payload in username field

Exploit

Bypass authentication query sanitization

Execution

Execute arbitrary SQL commands

Impact

Escalate privileges to administrator account

Vulnerability AssessmentAI

Exploitation	SuiteCRM versions 7.x prior to 7.15.1 and 8.x prior to 8.9.3 with directory support (LDAP/Active Directory) enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	This represents a significant real-world risk despite requiring low-privilege directory credentials (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker obtains valid low-privilege credentials for an organization's LDAP or Active Directory service through phishing or credential stuffing attacks. The attacker then crafts a malicious SQL injection payload within the username field during SuiteCRM authentication, exploiting the lack of input sanitization to modify the authentication query and return administrator-level privileges. …
Remediation	Upgrade to SuiteCRM version 7.15.1 or later for the 7.x branch, or version 8.9.3 or later for the 8.x branch, as documented in the official release notes at https://docs.suitecrm.com/admin/releases/7.15.x and security advisory at https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7g39-m4fg-vrq7. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all SuiteCRM instances and confirm which have directory support enabled; disable directory authentication if operationally feasible and document the decision. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33288 vulnerability details – vuln.today

Back

Suitecrm CVE-2026-33288

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code