CVE-2025-64493

Name of the Vulnerable Software and Affected Versions SuiteCRM versions 8.6.0 through 8.9.0

Description SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.6.0 through 8.9.0 are susceptible to an authenticated, blind (time-based) SQL-injection within the appMetadata operation of the GraphQL API. This allows for the extraction of arbitrary data from the database without requiring administrative access. The GraphQL API endpoint is '/graphql'. The vulnerable operation is appMetadata.

Recommendations Versions prior to 8.9.1 are affected. Update to version 8.9.1 or later to resolve this issue.