{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29099", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T21:54:06.708Z", "datePublished": "2026-03-19T22:46:56.418Z", "dateUpdated": "2026-03-19T22:46:56.418Z"}, "containers": {"cna": {"title": "SuiteCRM has Authenticated Blind SQL Injection in OutboundEmail Legacy Functionality.", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-38rf-h37x-7767", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-38rf-h37x-7767"}, {"name": "https://docs.suitecrm.com/admin/releases/7.15.x", "tags": ["x_refsource_MISC"], "url": "https://docs.suitecrm.com/admin/releases/7.15.x"}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM", "versions": [{"version": "< 7.15.1", "status": "affected"}, {"version": ">= 8.0.0, < 8.9.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:46:56.418Z"}, "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter. It is assumed that the function calling `retrieve()` will appropriately quote and sanitize the user input. However, two locations have been identified that can be reached through the `EmailUIAjax` action on the `Email()` module where this is not the case. As such, it is possible for an authenticated user to perform SQL injection through the `retrieve()` function. This affects the latest major versions 7.15 and 8.9. As there do not appear to be restrictions on which tables can be called, it would be possible for an attacker to retrieve arbitrary information from the database, including user information and password hashes. Versions 7.15.1 and 8.9.3 patch the issue."}], "source": {"advisory": "GHSA-38rf-h37x-7767", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter. It is assumed that the function calling `retrieve()` will appropriately quote and sanitize the user input. However, two locations have been identified that can be reached through the `EmailUIAjax` action on the `Email()` module where this is not the case. As such, it is possible for an authenticated user to perform SQL injection through the `retrieve()` function. This affects the latest major versions 7.15 and 8.9. As there do not appear to be restrictions on which tables can be called, it would be possible for an attacker to retrieve arbitrary information from the database, including user information and password hashes. Versions 7.15.1 and 8.9.3 patch the issue."}], "id": "CVE-2026-29099", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T23:16:41.920", "references": [{"source": "security-advisories@github.com", "url": "https://docs.suitecrm.com/admin/releases/7.15.x"}, {"source": "security-advisories@github.com", "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-38rf-h37x-7767"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.15.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.9.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SuiteCRM", "source": "cna", "vendor": "SuiteCRM"}, "product": "suitecrm", "vendor": "suitecrm"}], "analysis": {"en": {"generated_at": "2026-03-20T00:52:20.438337+00:00", "value": {"mitigation_remediation": ["Apply the SuiteCRM security update to version 7.15.1 or later, or 8.9.3 or later.", "Verify that the update is installed on all affected installations.", "If immediate patching is not possible, restrict access to the EmailUIAjax action within the Email module for authenticated users.", "Monitor application logs for unusual database activity that may indicate attempted exploitation."], "summary": {"action": "Patch", "impact": "SQL injection allowing data exfiltration"}, "threat_synthesis": {"affected_systems": "All installations of SuiteCRM version 7.15 or 8.9 that are earlier than 7.15.1 and 8.9.3 are affected. The patch is available in versions 7.15.1 and 8.9.3, which neutralize the input. The vulnerability is tied to the SuiteCRM product; no other vendors or products are impacted.", "description_and_impact": "An authenticated blind SQL injection flaw exists in SuiteCRM\u2019s OutboundEmail.php retrieve() function. The function fails to neutralize the user\u2011controlled $id parameter when invoked through the EmailUIAjax action on the Email module. An attacker with valid credentials can inject arbitrary SQL, potentially reading any table and exfiltrating critical data such as user accounts and password hashes. The weakness is classified as CWE\u201189.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.8, indicating high severity. An EPSS score is not available and it is not listed in the CISA KEV catalog. Because the flaw requires authentication, the attack surface is limited to legitimate users, but any authenticated user could exploit the injection to compromise data confidentiality. No public exploit code is referenced in the supplied URLs. Organizations using a vulnerable SuiteCRM instance should treat this as a significant risk until patched."}}}}, "created": "2026-03-20T08:54:37.319437+00:00", "updated": "2026-03-20T10:44:05.359523+00:00", "vendors": ["suitecrm", "suitecrm$PRODUCT$suitecrm"]}