CVE-2026-29099

Name of the Vulnerable Software and Affected Versions SuiteCRM versions prior to 7.15.1 SuiteCRM versions prior to 8.9.3

Description SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the retrieve() function in include/OutboundEmail/OutboundEmail.php does not properly neutralize the user-controlled $id parameter. The function relies on calling functions to sanitize user input, but this is not consistently applied in all locations, specifically through the EmailUIAjax action on the Email() module. This allows an authenticated user to potentially perform SQL injection through the retrieve() function. An attacker could retrieve arbitrary information from the database, including user information and password hashes. The vulnerable code resides in the retrieve() function.

Recommendations SuiteCRM versions prior to 7.15.1 should be updated to version 7.15.1 or later. SuiteCRM versions prior to 8.9.3 should be updated to version 8.9.3 or later.