CVE-2026-33288

Name of the Vulnerable Software and Affected Versions SuiteCRM versions prior to 7.15.1 SuiteCRM versions prior to 8.9.3

Description SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A SQL Injection issue exists in the authentication mechanisms when directory support is enabled. The application does not properly sanitize the username supplied by the user before using it in a database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, potentially leading to complete privilege escalation, such as logging in as the CRM Administrator.

Recommendations SuiteCRM versions prior to 7.15.1 should be updated to version 7.15.1 or later. SuiteCRM versions prior to 8.9.3 should be updated to version 8.9.3 or later.