CVE-2026-29105
MEDIUM WAF: Medium
CVSS 6.1
Published: 2026-03-19
CWE-601
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an unauthenticated open redirect vulnerability in the WebToLead capture functionality. A user-supplied POST parameter is used as a redirect destination without validation, allowing attackers to redirect victims to arbitrary external websites. This vulnerability allows attackers to abuse the trusted SuiteCRM domain for phishing and social engineering attacks by redirecting users to malicious external websites. Versions 7.15.1 and 8.9.3 patch the issue.
WAF Coverage Analysis
Open Redirect
Medium WAF Coverage
OWASP: A01:2021 Broken Access Control
941xxx - XSS / XXE
Affected Software
| Vendor | Product | Version |
|---|---|---|
| suitecrm | suitecrm | up to 7.15.1 |
| suitecrm | suitecrm | 8.0.0 - 8.9.3 |
References
- docs.suitecrm.com (Release Notes)
- github.com (Vendor Advisory)