PT-2026-26443 · Suitecrm · Suitecrm
D3Dn0V4
·
Published
2026-03-19
·
Updated
2026-03-20
·
CVE-2026-29105
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
SuiteCRM versions prior to 7.15.1
SuiteCRM versions prior to 8.9.3
Description
SuiteCRM contains an unauthenticated open redirect in the WebToLead capture functionality. A user-supplied POST parameter is used as a redirect destination without validation, allowing attackers to redirect victims to arbitrary external websites. This allows attackers to abuse the trusted SuiteCRM domain for phishing and social engineering attacks by redirecting users to malicious external websites. The vulnerable parameter is a POST parameter used for redirection.
Recommendations
Update to SuiteCRM version 7.15.1 or later.
Update to SuiteCRM version 8.9.3 or later.
Exploit
Fix
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Suitecrm