{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29104", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T21:54:06.709Z", "datePublished": "2026-03-19T22:55:51.535Z", "dateUpdated": "2026-03-19T22:55:51.535Z"}, "containers": {"cna": {"title": "SuiteCRM Vulnerable to Authenticated Arbitrary File Upload via Configurator addfontresult View in SuiteCRM", "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5hx9-cmmx-26p3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5hx9-cmmx-26p3"}, {"name": "https://docs.suitecrm.com/admin/releases/7.15.x", "tags": ["x_refsource_MISC"], "url": "https://docs.suitecrm.com/admin/releases/7.15.x"}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM", "versions": [{"version": "< 7.15.1", "status": "affected"}, {"version": ">= 8.0.0, < 8.9.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:55:51.535Z"}, "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an authenticated arbitrary file upload vulnerability in the Configurator module. An authenticated administrator can bypass intended file type restrictions when uploading PDF font files, allowing arbitrary files with attacker\u2011controlled filenames to be written to the server. Although the upload directory is not directly web\u2011accessible by default, this behavior breaks security boundaries and may enable further attacks when combined with other vulnerabilities or in certain deployment configurations. Versions 7.15.1 and 8.9.3 patch the issue."}], "source": {"advisory": "GHSA-5hx9-cmmx-26p3", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an authenticated arbitrary file upload vulnerability in the Configurator module. An authenticated administrator can bypass intended file type restrictions when uploading PDF font files, allowing arbitrary files with attacker\u2011controlled filenames to be written to the server. Although the upload directory is not directly web\u2011accessible by default, this behavior breaks security boundaries and may enable further attacks when combined with other vulnerabilities or in certain deployment configurations. Versions 7.15.1 and 8.9.3 patch the issue."}], "id": "CVE-2026-29104", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T23:16:43.147", "references": [{"source": "security-advisories@github.com", "url": "https://docs.suitecrm.com/admin/releases/7.15.x"}, {"source": "security-advisories@github.com", "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5hx9-cmmx-26p3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.15.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.9.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SuiteCRM", "source": "cna", "vendor": "SuiteCRM"}, "product": "suitecrm", "vendor": "suitecrm"}], "analysis": {"en": {"generated_at": "2026-03-20T00:25:05.403419+00:00", "value": {"mitigation_remediation": ["Upgrade SuiteCRM to version 7.15.1, 8.9.3, or later to apply the vendor patch.", "Restrict access to the Configurator module to trusted administrators only.", "Enforce stricter file\u2011type validation or block unexpected file uploads to the upload directory.", "Verify that the upload directory is non\u2011web\u2011accessible and that its permissions are set to the minimum required for the application."], "summary": {"action": "Apply Patch", "impact": "Authenticated Arbitrary File Upload"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to all SuiteCRM implementations prior to versions 7.15.1 and 8.9.3. The affected product is SuiteCRM, and no additional build or patch information beyond the version cutoff is provided. Administrators with authenticated access on these versions are at risk until the fix is installed.", "description_and_impact": "SuiteCRM, an open\u2011source customer relationship management application, contains a flaw in its Configurator module that allows an authenticated administrator to bypass the intended file type restrictions when uploading PDF font files. Attackers can upload any file with a controlled filename via the addfontresult view, resulting in the file being written to a server directory that is normally not web\u2011accessible. This failure to validate file types is classified as CWE-434. Although the upload location is not directly reachable from the web, the vulnerability breaks the intended security boundary and can facilitate further attacks when combined with other weaknesses or misconfigured deployments.", "risk_and_exploitability": "The CVSS score is 2.7, indicating low severity, and the vulnerability is not listed in the CISA KEV catalog. No EPSS data is available. Exploitation requires valid administrative credentials, meaning that compromise of an administrator account or use of social engineering is necessary. The overall risk is low, but the issue could serve as one component in a larger attack chain if combined with other unpatched vulnerabilities."}}}}, "created": "2026-03-20T08:54:31.327043+00:00", "updated": "2026-03-20T10:43:59.184411+00:00", "vendors": ["suitecrm", "suitecrm$PRODUCT$suitecrm"]}