CVE-2026-29109

HIGH WAF: Medium

CVSS 7.2 Published: 2026-03-20

CWE-502

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the server. `FilterDefinitionProvider.php` calls `unserialize()` on user-controlled data from the `saved_search.contents` database column without restricting instantiable classes. Version 8.9.3 patches the issue.

WAF Coverage Analysis

Insecure Deserialization Medium WAF Coverage

OWASP: A08:2021 Software and Data Integrity Failures

944xxx - Java Attack

Affected Software

Vendor	Product	Version
suitecrm	suitecrm	up to 8.9.3

References

github.com (Vendor Advisory)

Back to CVE Database