CVE-2026-29106

Name of the Vulnerable Software and Affected Versions SuiteCRM versions prior to 7.15.1 SuiteCRM versions prior to 8.9.3

Description SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the return id request parameter's value is copied into an HTML tag attribute, specifically an event handler, which is enclosed in double quotation marks. This can lead to a cross-site scripting (XSS) issue.

Recommendations Update to SuiteCRM version 7.15.1 or later. Update to SuiteCRM version 8.9.3 or later. Implement a Content Security Policy (CSP) header to mitigate XSS.