CVE-2026-29103

Name of the Vulnerable Software and Affected Versions SuiteCRM versions 7.15.0 and 8.9.2

Description SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A critical Remote Code Execution (RCE) issue exists, allowing authenticated administrators to execute arbitrary system commands. The issue is a bypass of a previous patch attempt for CVE-2024-49774. The underlying flaw resides in the ModuleScanner.php file, specifically in its PHP token parsing logic. The scanner incorrectly resets its internal state ($checkFunction flag) when encountering single-character tokens (such as =, ., or ;). This allows attackers to conceal dangerous function calls, like system() or exec(), using variable assignments or string concatenation, effectively bypassing the MLP security controls.

Recommendations Update to SuiteCRM version 7.15.1 or 8.9.3.