CVE-2026-29098

Name of the Vulnerable Software and Affected Versions SuiteCRM versions prior to 7.15.1 SuiteCRM versions prior to 8.9.3

Description SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Before versions 7.15.1 and 8.9.3, the action exportCustom function in modules/ModuleBuilder/controller.php does not properly neutralize path traversal sequences in the modules and name parameters. These parameters are then used in the exportCustom function within modules/ModuleBuilder/MB/MBPackage.php to construct file paths for reading and writing. This allows a user with access to the ModuleBuilder module, typically an administrator, to create a request that can copy the content of any readable directory on the underlying host into the web root, making it accessible. The ModuleBuilder module is present in both major versions 7 and 8, affecting both current major versions. This allows an attacker to copy any readable directory into the web root, potentially exposing sensitive information like system files, including the content of /etc, or the web server's root directory, and environment variables.

Recommendations SuiteCRM versions prior to 7.15.1 should be updated to version 7.15.1 or later. SuiteCRM versions prior to 8.9.3 should be updated to version 8.9.3 or later.