CVE-2026-29096
SuiteCRM vulnerable to Authenticated SQL Injection via unsanitized field_function in Report Fields
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report (AOR_Reports module), the `field_function` parameter from POST data is saved directly into the `aor_fields` table without any validation. Later, when the report is executed/viewed, this value is concatenated directly into a SQL SELECT query without sanitization, enabling second-order SQL injection. Any authenticated user with Reports access can extract arbitrary database contents (password hashes, API tokens, config values). On MySQL with FILE privilege, this could lead to RCE via SELECT INTO OUTFILE. Versions 7.15.1 and 8.9.3 patch the issue.
| CWE | CWE-89 |
| Vendor | suitecrm |
| Product | suitecrm |
| Published | Mar 19, 2026 |
| Last Updated | Mar 25, 2026 |
Get instant alerts for suitecrm suitecrm
Be the first to know when new high vulnerabilities affecting suitecrm suitecrm are published โ delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N