Vulnerability Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an unauthenticated open redirect vulnerability in the WebToLead capture functionality. A user-supplied POST parameter is used as a redirect destination without validation, allowing attackers to redirect victims to arbitrary external websites. This vulnerability allows attackers to abuse the trusted SuiteCRM domain for phishing and social engineering attacks by redirecting users to malicious external websites. Versions 7.15.1 and 8.9.3 patch the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Suitecrm | Suitecrm | < 7.15.1 |
Related Weaknesses (CWE)
References
- https://docs.suitecrm.com/admin/releases/7.15.xRelease Notes
- https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-9crg-83cg-wv74Vendor Advisory
FAQ
What is CVE-2026-29105?
CVE-2026-29105 is a vulnerability with a CVSS score of 5.4 (MEDIUM). SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an unauthenticated open redirect vulnera...
How severe is CVE-2026-29105?
CVE-2026-29105 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-29105?
Check the references section above for vendor advisories and patch information. Affected products include: Suitecrm Suitecrm.