CVE-2026-29105

Name of the Vulnerable Software and Affected Versions SuiteCRM versions prior to 7.15.1 SuiteCRM versions prior to 8.9.3

Description SuiteCRM contains an unauthenticated open redirect in the WebToLead capture functionality. A user-supplied POST parameter is used as a redirect destination without validation, allowing attackers to redirect victims to arbitrary external websites. This allows attackers to abuse the trusted SuiteCRM domain for phishing and social engineering attacks by redirecting users to malicious external websites. The vulnerable parameter is a POST parameter used for redirection.

Recommendations Update to SuiteCRM version 7.15.1 or later. Update to SuiteCRM version 8.9.3 or later.