Arbitrary file upload in Suitecrm
CVE-2026-29104
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an authenticated arbitrary file upload vulnerability in the Configurator module…
Vulnerability class: Unrestricted File Upload
EPSS: 0.001 (16.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 2.7 (Low). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N.
Affected products
- Suitecrm — versions < 7.15.1, >= 8.0.0, < 8.9.3
Weakness classification (CWE)
References
- https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5hx9-cmmx-26p3 (x_refsource_CONFIRM)
- https://docs.suitecrm.com/admin/releases/7.15.x (x_refsource_MISC)
Frequently asked questions
- What is CVE-2026-29104?
- CVE-2026-29104 is a low-severity vulnerability in Suitecrm, classified under Unrestricted Upload of File with Dangerous Type. CVSS score: 2.7/10. Published 2026-03-19.
- How severe is CVE-2026-29104?
- Low severity. CVSS v3 base score is 2.7 out of 10.