V
Scaner-VS
HomeCatalogSourcesCWECAPECATT&CKMitigationsProductsVendorsDocs
CVE-2026-29104
CVE
Low

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.…

CVSS
2.7
Low
EPSS
0.00
p13
Published
2026-01-01
Updated
2026-01-01
Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an authenticated arbitrary file upload vulnerability in the Configurator module. An authenticated administrator can bypass intended file type restrictions when uploading PDF font files, allowing arbitrary files with attacker‑controlled filenames to be written to the server. Although the upload directory is not directly web‑accessible by default, this behavior breaks security boundaries and may enable further attacks when combined with other vulnerabilities or in certain deployment configurations. Versions 7.15.1 and 8.9.3 patch the issue.

Tags · CWE
File upload
CWE-434
CAPEC-1
Affected products
Suitecrm < 7.15.1Suitecrm 8.0.0–8.9.3
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Timeline
2026-01-01
Published
2026-01-01
Updated
CVSS 3.1 breakdown
Attack Vector
AV: N
Network (N)
Attack Complexity
AC: L
Low (L)
Privileges Required
PR: H
High (H)
User Interaction
UI: N
None (N)
Scope
S: U
Unchanged (U)
Confidentiality Impact
C: N
None (N)
Integrity Impact
I: L
Low (L)
Availability Impact
A: N
None (N)
Exploit indicators
EPSS
0.002 · p13
Known exploited (KEV)
No
MITRE ATT&CK
Inferred via CAPEC
Known exploits — Сканер-ВС
No Сканер-ВС checks registered for this vulnerability yet.
Affected products
ProductVendorStatus
Tracked
suitecrm*Tracked