CVE-2026-33288
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue.
Analysis
SQL injection in SuiteCRM's authentication layer when directory support is enabled allows authenticated attackers with low-privilege directory credentials to execute arbitrary SQL commands and escalate privileges to administrator level. The vulnerability stems from insufficient input sanitization of usernames in local database queries. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: inventory all SuiteCRM instances and confirm which have directory support enabled; disable directory authentication if operationally feasible and document the decision. Within 7 days: implement WAF rules to block SQL injection patterns in authentication requests and restrict network access to SuiteCRM to trusted IP ranges only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today