CVE-2026-29104

Name of the Vulnerable Software and Affected Versions SuiteCRM versions prior to 7.15.1 SuiteCRM versions prior to 8.9.3

Description SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, it contains an authenticated arbitrary file upload issue in the Configurator module. An authenticated administrator can bypass file type restrictions when uploading PDF font files, allowing arbitrary files with attacker-controlled filenames to be written to the server. While the upload directory is not directly web-accessible by default, this breaks security boundaries and may enable further attacks when combined with other issues or in certain deployment configurations.

Recommendations SuiteCRM versions prior to 7.15.1 should be updated to version 7.15.1 or later. SuiteCRM versions prior to 8.9.3 should be updated to version 8.9.3 or later.