Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-29101

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-19 Mar, 2026 | 22:51
Updated At-20 Mar, 2026 | 18:09
Rejected At-
Credits

SuiteCRM Vulnerable to Directory Traversal to DoS in Modules

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:19 Mar, 2026 | 22:51
Updated At:20 Mar, 2026 | 18:09
Rejected At:
▼CVE Numbering Authority (CNA)
SuiteCRM Vulnerable to Directory Traversal to DoS in Modules

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue.

Affected Products
Vendor
SuiteCRM Ltd.SuiteCRM
Product
SuiteCRM
Versions
Affected
  • < 7.15.1
  • >= 8.0.0, < 8.9.3
Problem Types
TypeCWE IDDescription
CWECWE-23CWE-23: Relative Path Traversal
Type: CWE
CWE ID: CWE-23
Description: CWE-23: Relative Path Traversal
Metrics
VersionBase scoreBase severityVector
3.14.9MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Version: 3.1
Base score: 4.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-24pf-9cvh-ppcg
x_refsource_CONFIRM
https://docs.suitecrm.com/admin/releases/7.15.x
x_refsource_MISC
Hyperlink: https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-24pf-9cvh-ppcg
Resource:
x_refsource_CONFIRM
Hyperlink: https://docs.suitecrm.com/admin/releases/7.15.x
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:19 Mar, 2026 | 23:16
Updated At:24 Mar, 2026 | 14:33

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.9MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type: Secondary
Version: 3.1
Base score: 4.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CPE Matches
SuiteCRM Ltd.
suitecrm
>>suitecrm>>Versions before 7.15.1(exclusive)
cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*
SuiteCRM Ltd.
suitecrm
>>suitecrm>>Versions from 8.0.0(inclusive) to 8.9.3(exclusive)
cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-23Primarysecurity-advisories@github.com
CWE ID: CWE-23
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://docs.suitecrm.com/admin/releases/7.15.xsecurity-advisories@github.com
Release Notes
https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-24pf-9cvh-ppcgsecurity-advisories@github.com
Vendor Advisory
Hyperlink: https://docs.suitecrm.com/admin/releases/7.15.x
Source: security-advisories@github.com
Resource:
Release Notes
Hyperlink: https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-24pf-9cvh-ppcg
Source: security-advisories@github.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

4Records found
CVE-2026-29097
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-0.02% / 6.15%
||
7 Day CHG~0.00%
Published-19 Mar, 2026 | 22:39
Updated-24 Mar, 2026 | 14:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SuiteCRM Server-Side Request Forgery and Denial of Service via RSS Feed Dashlet

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery (SSRF) vulnerability combined with a Denial of Service (DoS) condition in the RSS Feed Dashlet component. Versions 7.15.1 and 8.9.3 patch the issue.

Action-Not Available
Vendor-SuiteCRM Ltd.
Product-suitecrmSuiteCRM
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-29098
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.08% / 22.81%
||
7 Day CHG~0.00%
Published-19 Mar, 2026 | 22:43
Updated-24 Mar, 2026 | 14:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SuiteCRM has Relative Path Traversal via ModuleBuilder Modules ExportCustom Action

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the `$modules` and `$name` parameters. Both parameters later reach the `exportCustom` function in `modules/ModuleBuilder/MB/MBPackage.php` where they are both utilized in constructing s paths for file reading and writing. As such, it is possible for a user with access to the ModuleBuilder module, generally an administrator, to craft a request that can copy the content of any readable directory on the underlying host into the web root, making them readable. As the `ModuleBuilder` module is part of both major versions 7 and 8, both current major versions are affected. This vulnerability allows an attacker to copy any readable directory into the web root. This includes system files like the content of `/etc, or the root directory of the web server, potentially exposing secrets and environment variables. Versions 7.15.1 and 8.9.3 patch the issue.

Action-Not Available
Vendor-SuiteCRM Ltd.
Product-suitecrmSuiteCRM
CWE ID-CWE-23
Relative Path Traversal
CVE-2024-0335
Matching Score-4
Assigner-Asea Brown Boveri Ltd. (ABB)
ShareView Details
Matching Score-4
Assigner-Asea Brown Boveri Ltd. (ABB)
CVSS Score-7.5||HIGH
EPSS-0.22% / 44.22%
||
7 Day CHG~0.00%
Published-03 Apr, 2024 | 18:53
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Malformed Packet Handling

ABB has internally identified a vulnerability in the ABB VPNI feature of the S+ Control API component which may be used by several Symphony Plus products (e.g., S+ Operations, S+ Engineering and S+ Analyst) This issue affects Symphony Plus S+ Operations: from 3..0;0 through 3.3 SP1 RU4, from 2.1;0 through 2.1 SP2 RU3, from 2.0;0 through 2.0 SP6 TC6; Symphony Plus S+ Engineering: from 2.1 through 2.3 RU3; Symphony Plus S+ Analyst: from 7.0.0.0 through 7.2.0.2.

Action-Not Available
Vendor-ABB
Product-Symphony Plus S+ AnalystSymphony Plus S+ OperationsSymphony Plus S+ Engineeringsymphony_plus_s\+_engineeringsymphony_plus_s\+_operationssymphony_plus_s\+_analyst
CWE ID-CWE-23
Relative Path Traversal
CVE-2023-46119
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.57% / 68.77%
||
7 Day CHG~0.00%
Published-25 Oct, 2023 | 00:03
Updated-10 Sep, 2024 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Parse Server may crash when uploading file without extension

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1.

Action-Not Available
Vendor-parseplatformparse-communityparse_community
Product-parse-serverparse-serverparse_server
CWE ID-CWE-23
Relative Path Traversal
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Details not found