{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33288", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T18:55:47.426Z", "datePublished": "2026-03-19T23:08:11.165Z", "dateUpdated": "2026-03-20T18:09:17.763Z"}, "containers": {"cna": {"title": "SuiteCRM has Authenticated SQL Injection in Authentication Module", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7g39-m4fg-vrq7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7g39-m4fg-vrq7"}, {"name": "https://docs.suitecrm.com/admin/releases/7.15.x", "tags": ["x_refsource_MISC"], "url": "https://docs.suitecrm.com/admin/releases/7.15.x"}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM", "versions": [{"version": "< 7.15.1", "status": "affected"}, {"version": ">= 8.0.0, < 8.9.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:08:11.165Z"}, "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue."}], "source": {"advisory": "GHSA-7g39-m4fg-vrq7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T16:58:11.596581Z", "id": "CVE-2026-33288", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T18:09:17.763Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33288", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T16:58:11.596581Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T16:58:32.617Z"}}], "cna": {"title": "SuiteCRM has Authenticated SQL Injection in Authentication Module", "source": {"advisory": "GHSA-7g39-m4fg-vrq7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM", "versions": [{"status": "affected", "version": "< 7.15.1"}, {"status": "affected", "version": ">= 8.0.0, < 8.9.3"}]}], "references": [{"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7g39-m4fg-vrq7", "name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7g39-m4fg-vrq7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://docs.suitecrm.com/admin/releases/7.15.x", "name": "https://docs.suitecrm.com/admin/releases/7.15.x", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:08:11.165Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33288", "state": "PUBLISHED", "dateUpdated": "2026-03-20T18:09:17.763Z", "dateReserved": "2026-03-18T18:55:47.426Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T23:08:11.165Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue."}], "id": "CVE-2026-33288", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T00:16:18.470", "references": [{"source": "security-advisories@github.com", "url": "https://docs.suitecrm.com/admin/releases/7.15.x"}, {"source": "security-advisories@github.com", "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7g39-m4fg-vrq7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.15.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.9.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SuiteCRM", "source": "cna", "vendor": "SuiteCRM"}, "product": "suitecrm", "vendor": "suitecrm"}], "analysis": {"en": {"generated_at": "2026-03-20T01:21:54.236487+00:00", "value": {"mitigation_remediation": ["Upgrade to SuiteCRM 7.15.1 or later (or 8.9.3 or newer) to apply the official fix.", "Disable directory authentication in SuiteCRM if an upgrade cannot be performed immediately.", "Monitor authentication logs for repeated or unusual username attempts to detect exploitation attempts."], "summary": {"action": "Patch Immediately", "impact": "Privilege Escalation via SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected product is SuiteCRM as listed by the vendor. All SuiteCRM releases prior to version 7.15.1 and 8.9.3 are vulnerable when directory authentication is enabled. Versions 7.15.1 and 8.9.3 contain the fix.", "description_and_impact": "SuiteCRM authentication module implements directory-based authentication that contains an authenticated SQL injection flaw when directory support is enabled. The flaw occurs because the username input is not properly validated before inclusion in a database query. An attacker who has a valid, low\u2011privilege directory account can supply a crafted username that causes the database to execute arbitrary SQL commands, allowing the attacker to elevate privileges to that of the CRM administrator. This vulnerability is identified as CWE\u201189.", "risk_and_exploitability": "The CVSS base score of 8.8 indicates high severity. EPSS data is not provided. KEV catalog does not list the vulnerability. The flaw requires an authenticated low\u2011privilege directory account; the attacker must first log in to the web interface using such credentials, then submit a malicious username. Upon successful exploitation the attacker achieves full administrative privileges. The risk is significant for environments that use directory authentication and maintain low\u2011privilege accounts."}}}}, "created": "2026-03-20T08:54:24.687085+00:00", "updated": "2026-03-20T10:43:52.209620+00:00", "vendors": ["suitecrm", "suitecrm$PRODUCT$suitecrm"]}