CVE-2026-29096

Name of the Vulnerable Software and Affected Versions SuiteCRM versions prior to 7.15.1 SuiteCRM versions prior to 8.9.3

Description SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the field function parameter received through POST data in the AOR Reports module is saved directly into the aor fields table without validation. Subsequently, when a report is executed or viewed, this value is directly concatenated into a SQL SELECT query without sanitization, leading to a second-order SQL injection. An authenticated user with Reports access can potentially extract arbitrary database contents, including password hashes, API tokens, and configuration values. In MySQL environments with FILE privilege, Remote Code Execution (RCE) may be possible through SELECT INTO OUTFILE.

Recommendations SuiteCRM versions prior to 7.15.1 should be updated to version 7.15.1 or later. SuiteCRM versions prior to 8.9.3 should be updated to version 8.9.3 or later.