{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29097", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T21:54:06.708Z", "datePublished": "2026-03-19T22:39:03.546Z", "dateUpdated": "2026-03-21T03:11:35.213Z"}, "containers": {"cna": {"title": "SuiteCRM Server-Side Request Forgery and Denial of Service via RSS Feed Dashlet", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:L/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-x3p2-qcqh-qx2m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-x3p2-qcqh-qx2m"}, {"name": "https://docs.suitecrm.com/admin/releases/7.15.x", "tags": ["x_refsource_MISC"], "url": "https://docs.suitecrm.com/admin/releases/7.15.x"}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM", "versions": [{"version": "< 7.15.1", "status": "affected"}, {"version": ">= 8.0.0, < 8.9.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:45:00.535Z"}, "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery (SSRF) vulnerability combined with a Denial of Service (DoS) condition in the RSS Feed Dashlet component. Versions 7.15.1 and 8.9.3 patch the issue."}], "source": {"advisory": "GHSA-x3p2-qcqh-qx2m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-21T03:11:23.199993Z", "id": "CVE-2026-29097", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T03:11:35.213Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29097", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-21T03:11:23.199993Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T03:11:30.080Z"}}], "cna": {"title": "SuiteCRM Server-Side Request Forgery and Denial of Service via RSS Feed Dashlet", "source": {"advisory": "GHSA-x3p2-qcqh-qx2m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:L/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM", "versions": [{"status": "affected", "version": "< 7.15.1"}, {"status": "affected", "version": ">= 8.0.0, < 8.9.3"}]}], "references": [{"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-x3p2-qcqh-qx2m", "name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-x3p2-qcqh-qx2m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://docs.suitecrm.com/admin/releases/7.15.x", "name": "https://docs.suitecrm.com/admin/releases/7.15.x", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery (SSRF) vulnerability combined with a Denial of Service (DoS) condition in the RSS Feed Dashlet component. Versions 7.15.1 and 8.9.3 patch the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:45:00.535Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29097", "state": "PUBLISHED", "dateUpdated": "2026-03-21T03:11:35.213Z", "dateReserved": "2026-03-03T21:54:06.708Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T22:39:03.546Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "73648654-E7F6-47CF-8E01-19BBFF737C99", "versionEndExcluding": "7.15.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "C7E15DD3-A934-40A2-8B43-ABCCBB53CBCF", "versionEndExcluding": "8.9.3", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery (SSRF) vulnerability combined with a Denial of Service (DoS) condition in the RSS Feed Dashlet component. Versions 7.15.1 and 8.9.3 patch the issue."}, {"lang": "es", "value": "SuiteCRM es una aplicaci\u00f3n de software de Gesti\u00f3n de Relaciones con Clientes (CRM) de c\u00f3digo abierto y de nivel empresarial. Las versiones anteriores a la 7.15.1 y 8.9.3 contienen una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) combinada con una condici\u00f3n de denegaci\u00f3n de servicio (DoS) en el componente RSS Feed Dashlet. Las versiones 7.15.1 y 8.9.3 corrigen el problema."}], "id": "CVE-2026-29097", "lastModified": "2026-03-24T14:49:18.087", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T23:16:41.580", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://docs.suitecrm.com/admin/releases/7.15.x"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-x3p2-qcqh-qx2m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.15.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.9.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SuiteCRM", "source": "cna", "vendor": "SuiteCRM"}, "product": "suitecrm", "vendor": "suitecrm"}], "analysis": {"en": {"generated_at": "2026-03-24T16:29:02.102375+00:00", "value": {"mitigation_remediation": ["Upgrade SuiteCRM to version 7.15.1 or 8.9.3, whichever applies to your installation.", "Confirm that the RSS Feed Dashlet functions correctly after the upgrade to ensure the patch is active.", "Enable logging for outbound HTTP requests from the CRM and review logs for unexpected activity.", "Restrict access to the RSS Feed Dashlet to authorized users if possible to reduce attack surface."], "summary": {"action": "Apply Patch", "impact": "Denial of Service via SSRF"}, "threat_synthesis": {"affected_systems": "SuiteCRM versions older than 7.15.1 and 8.9.3 are affected. The patch is available in those specific release versions.", "description_and_impact": "The vulnerability is located in the RSS Feed Dashlet of SuiteCRM. It enables a Server\u2011Side Request Forgery that is coupled with a Denial of Service condition. An attacker can instruct the CRM server to retrieve arbitrary URLs, potentially accessing internal resources or exhausting network sockets and memory, which results in service interruption.", "risk_and_exploitability": "The CVSS base score of 7.1 indicates high severity, while the EPSS score is below 1%, reflecting a relatively low current exploitation probability. It does not appear in the CISA KEV catalog. The likely attack vector would involve an attacker adding or modifying an RSS feed URL within the dashlet; this is inferred from the description and the nature of the component, as explicit authentication requirements are not stated in the advisory."}}}}, "created": "2026-03-20T08:54:39.848979+00:00", "updated": "2026-03-25T11:54:20.498774+00:00", "vendors": ["suitecrm", "suitecrm$PRODUCT$suitecrm"]}