SuiteCRM Vulnerabilities Allow Code Execution, Data Manipulation, SSRF, DoS
Summary
CERT-Bund has issued a security advisory for SuiteCRM, detailing multiple vulnerabilities that could allow attackers to execute arbitrary code, manipulate data, perform SSRF attacks, or cause denial-of-service conditions. The advisory affects versions prior to 7.15.1 and 8.9.3, with a CVSS base score of 8.8.
What changed
CERT-Bund has released a security advisory (WID-SEC-2026-0792) concerning critical vulnerabilities in SuiteCRM, an open-source CRM application. The vulnerabilities, rated with a CVSS base score of 8.8, affect versions of SuiteCRM prior to 7.15.1 and 8.9.3. Exploitation could lead to arbitrary code execution, data manipulation, server-side request forgery (SSRF), and denial-of-service (DoS) attacks on Linux, UNIX, and Windows operating systems.
Organizations using affected versions of SuiteCRM must update to patched versions (7.15.1 or later, and 8.9.3 or later) as soon as possible to mitigate these risks. Failure to apply the updates could expose sensitive customer data and business operations to significant security threats, including unauthorized access and system disruption. This advisory highlights the ongoing need for diligent patch management for all critical business applications.
What to do next
- Update SuiteCRM to version 7.15.1 or later
- Update SuiteCRM to version 8.9.3 or later
Source document (simplified)
[WID-SEC-2026-0792] SuiteCRM: Mehrere Schwachstellen CVSS Base Score 8.8 (hoch) CVSS Temporal Score 7.7 (hoch) Remoteangriff ja Datum 18.03.2026 Stand 19.03.2026 Mitigation ja
Betroffene Systeme
Betriebssystem
- Linux
- UNIX
- Windows
Produktbeschreibung
SuiteCRM ist eine Open-Source-Customer-Relationship-Management-Anwendung (CRM) zur Verwaltung von Kundenbeziehungen.
Produkte
18.03.2026
- Open Source SuiteCRM <7.15.1
- Open Source SuiteCRM <8.9.3
Angriff
Angriff
Ein Angreifer kann mehrere Schwachstellen in SuiteCRM ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren, Server-Side Request Forgery durchzuführen, Phishing-Angriffe zu starten oder einen Denial-of-Service-Zustand herbeizuführen. CVE Informationen Versionshistorie Feedback zum Advisory geben
Named provisions
Related changes
Source
Classification
Who this affects
Taxonomy
Browse Categories
Get Data Privacy & Cybersecurity alerts
Weekly digest. AI-summarized, no noise.
Free. Unsubscribe anytime.
Get alerts for this source
We'll email you when CERT-Bund Security Advisories publishes new changes.