CVE-2026-29106

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-29106
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the value of the return_id request parameter is copied into the value of an HTML tag attribute which is an event handler and is encapsulated in double quotation marks. Versions 7.15.1 and 8.9.3 patch the issue. Users should also use a Content Security Policy (CSP) header to completely mitigate XSS.

5.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References
Link Resource
https://docs.suitecrm.com/admin/releases/7.15.x Release Notes
https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7qrj-5hj6-7c2m Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*
cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*
History

24 Mar 2026, 13:58

Type Values Removed Values Added
References () https://docs.suitecrm.com/admin/releases/7.15.x - () https://docs.suitecrm.com/admin/releases/7.15.x - Release Notes
References () https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7qrj-5hj6-7c2m - () https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7qrj-5hj6-7c2m - Vendor Advisory
Summary
  • (es) SuiteCRM es una aplicación de software de gestión de relaciones con clientes (CRM) de código abierto y lista para empresas. Antes de las versiones 7.15.1 y 8.9.3, el valor del parámetro de solicitud return_id se copia en el valor de un atributo de etiqueta HTML que es un gestor de eventos y está encapsulado entre comillas dobles. Las versiones 7.15.1 y 8.9.3 parchean el problema. Los usuarios también deben usar una cabecera de Política de Seguridad de Contenido (CSP) para mitigar completamente el XSS.
First Time Suitecrm
Suitecrm suitecrm
CPE cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*

19 Mar 2026, 23:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-19 23:16

Updated : 2026-03-24 13:58

NVD link : CVE-2026-29106

Mitre link : CVE-2026-29106

CVE.ORG link : CVE-2026-29106

JSON object : View

Products Affected

suitecrm

  • suitecrm
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-116

Improper Encoding or Escaping of Output

CWE-159

Improper Handling of Invalid Use of Special Elements