CVE-2026-29106 — MEDIUM (5.9)

Q: How severe is CVE-2026-29106?

CVE-2026-29106 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-29106?

Check the references section above for vendor advisories and patch information. Affected products include: Suitecrm Suitecrm.

Vulnerability Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the value of the return_id request parameter is copied into the value of an HTML tag attribute which is an event handler and is encapsulated in double quotation marks. Versions 7.15.1 and 8.9.3 patch the issue. Users should also use a Content Security Policy (CSP) header to completely mitigate XSS.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Suitecrm	Suitecrm	< 7.15.1

Related Weaknesses (CWE)

CWE-159 CWE-116 CWE-79 CWE-80

References

https://docs.suitecrm.com/admin/releases/7.15.xRelease Notes
https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7qrj-5hj6-7c2mVendor Advisory

FAQ

What is CVE-2026-29106?

CVE-2026-29106 is a vulnerability with a CVSS score of 5.9 (MEDIUM). SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the value of the return_id request parameter is copied int...

How severe is CVE-2026-29106?

CVE-2026-29106 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-29106?

Check the references section above for vendor advisories and patch information. Affected products include: Suitecrm Suitecrm.