CVE-2026-29103
Received Received - Intake
Critical RCE in SuiteCRM ModuleScanner.php via Patch Bypass

Publication date: 2026-03-19

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Critical Remote Code Execution (RCE) vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allowing authenticated administrators to execute arbitrary system commands. This vulnerability is a direct Patch Bypass of CVE-2024-49774. Although the vendor attempted to fix the issue in version 7.14.5, the underlying flaw in ModuleScanner.php regarding PHP token parsing remains. The scanner incorrectly resets its internal state ($checkFunction flag) when encountering any single-character token (such as =, ., or ;). This allows attackers to hide dangerous function calls (e.g., system(), exec()) using variable assignments or string concatenation, completely evading the MLP security controls. Versions 7.15.1 and 8.9.3 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29103
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
suitecrm suitecrm to 7.15.1 (exc)
suitecrm suitecrm From 8.0.0 (inc) to 8.9.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-358 The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Critical Remote Code Execution (RCE) flaw in SuiteCRM versions 7.15.0 and 8.9.2 that allows authenticated administrators to execute arbitrary system commands on the server.

The issue arises from a flaw in the ModuleScanner.php file's PHP token parsing logic, where the scanner incorrectly resets its internal state when encountering single-character tokens like =, ., or ;.

This flaw enables attackers to hide dangerous function calls such as system() or exec() using variable assignments or string concatenation, bypassing the security controls designed to prevent such executions.

The vulnerability is a direct patch bypass of a previous CVE (CVE-2024-49774), and it was fixed in SuiteCRM versions 7.15.1 and 8.9.3.

Impact Analysis

This vulnerability can have severe impacts as it allows an authenticated administrator to execute arbitrary system commands remotely.

Such remote code execution can lead to full system compromise, including unauthorized access to sensitive data, disruption of services, data loss, or further exploitation of the affected system.

Given the high CVSS score of 9.1, the vulnerability poses a critical risk to the confidentiality, integrity, and availability of the affected systems.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade SuiteCRM to versions 7.15.1 or 8.9.3, which contain patches addressing the issue.

Avoid using versions 7.15.0 and 8.9.2, as they are vulnerable to remote code execution by authenticated administrators.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29103. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart