SQL Injection Vulnerability in SuiteCRM by SuiteCRM Inc.
CVE-2026-29096
What is CVE-2026-29096?
SuiteCRM, an open-source CRM application, has a vulnerability that allows authenticated users with Report access to exploit a lack of input validation in the AOR_Reports module. The field_function parameter from POST data is directly stored in the aor_fields table, and later concatenated into a SQL SELECT query without proper sanitization. This flaw potentially enables second-order SQL injection attacks, allowing an attacker to extract sensitive database contents like password hashes, API tokens, and configuration values. Additionally, if the database operates on MySQL with FILE privileges, this could open pathways for remote code execution (RCE) via the SELECT INTO OUTFILE command. Updated versions 7.15.1 and 8.9.3 and onwards address this critical issue.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
SuiteCRM < 7.15.1 < 7.15.1
SuiteCRM >= 8.0.0, < 8.9.3 < 8.0.0, 8.9.3