{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29101", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T21:54:06.708Z", "datePublished": "2026-03-19T22:51:47.718Z", "dateUpdated": "2026-03-20T18:09:29.978Z"}, "containers": {"cna": {"title": "SuiteCRM Vulnerable to Directory Traversal to DoS in Modules", "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-24pf-9cvh-ppcg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-24pf-9cvh-ppcg"}, {"name": "https://docs.suitecrm.com/admin/releases/7.15.x", "tags": ["x_refsource_MISC"], "url": "https://docs.suitecrm.com/admin/releases/7.15.x"}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM", "versions": [{"version": "< 7.15.1", "status": "affected"}, {"version": ">= 8.0.0, < 8.9.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:51:47.718Z"}, "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue."}], "source": {"advisory": "GHSA-24pf-9cvh-ppcg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T16:59:10.693199Z", "id": "CVE-2026-29101", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T18:09:29.978Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29101", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T16:59:10.693199Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T16:59:44.533Z"}}], "cna": {"title": "SuiteCRM Vulnerable to Directory Traversal to DoS in Modules", "source": {"advisory": "GHSA-24pf-9cvh-ppcg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM", "versions": [{"status": "affected", "version": "< 7.15.1"}, {"status": "affected", "version": ">= 8.0.0, < 8.9.3"}]}], "references": [{"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-24pf-9cvh-ppcg", "name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-24pf-9cvh-ppcg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://docs.suitecrm.com/admin/releases/7.15.x", "name": "https://docs.suitecrm.com/admin/releases/7.15.x", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23: Relative Path Traversal"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:51:47.718Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29101", "state": "PUBLISHED", "dateUpdated": "2026-03-20T18:09:29.978Z", "dateReserved": "2026-03-03T21:54:06.708Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T22:51:47.718Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "73648654-E7F6-47CF-8E01-19BBFF737C99", "versionEndExcluding": "7.15.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "C7E15DD3-A934-40A2-8B43-ABCCBB53CBCF", "versionEndExcluding": "8.9.3", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue."}, {"lang": "es", "value": "SuiteCRM es una aplicaci\u00f3n de software de Gesti\u00f3n de Relaciones con Clientes (CRM) de c\u00f3digo abierto y lista para empresas. Antes de las versiones 7.15.1 y 8.9.3, existe una vulnerabilidad de Denegaci\u00f3n de Servicio (DoS) en los m\u00f3dulos de SuiteCRM. Las versiones 7.15.1 y 8.9.3 aplican un parche al problema."}], "id": "CVE-2026-29101", "lastModified": "2026-03-24T14:33:57.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-19T23:16:42.637", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://docs.suitecrm.com/admin/releases/7.15.x"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-24pf-9cvh-ppcg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.15.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.9.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SuiteCRM", "source": "cna", "vendor": "SuiteCRM"}, "product": "suitecrm", "vendor": "suitecrm"}], "analysis": {"en": {"generated_at": "2026-03-24T15:51:20.605201+00:00", "value": {"mitigation_remediation": ["Upgrade SuiteCRM to version 7.15.1 or later, or to version 8.9.3 or later, to apply the official patch", "If an update cannot be performed immediately, temporarily block or rate\u2011limit access to the affected modules to mitigate DoS risk", "Monitor web server and application logs for abnormal request patterns that may indicate attempts to exploit the directory traversal path"], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All installations of SuiteCRM prior to version 7.15.1 and prior to version 8.9.3 are vulnerable. This includes the 7.x and 8.x major releases that have not been updated to the referenced patch levels. Users running the older releases should verify the major version and apply the corresponding fix.", "description_and_impact": "A directory traversal weakness in SuiteCRM modules allows an attacker to send crafted requests that can potentially overload the application, leading to a denial of service. The vulnerability is a classic path traversal issue (CWE-23) and can disrupt normal operation by exhausting resources or triggering application errors.", "risk_and_exploitability": "The CVSS score of 4.9 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, indicating no known active exploits. Attackers would need to execute crafted web requests against the vulnerable modules; remote exploitation is inferred from the nature of the issue, though no confirmed public exploit exists. Overall, the risk is modest, but proactive remediation is recommended to avoid potential service disruption."}}}}, "created": "2026-03-20T08:54:34.747409+00:00", "updated": "2026-03-25T11:54:15.557543+00:00", "vendors": ["suitecrm", "suitecrm$PRODUCT$suitecrm"]}