CVE-2026-29103
Received Received - Intake
Critical RCE in SuiteCRM ModuleScanner.php via Patch Bypass

Publication date: 2026-03-19

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Critical Remote Code Execution (RCE) vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allowing authenticated administrators to execute arbitrary system commands. This vulnerability is a direct Patch Bypass of CVE-2024-49774. Although the vendor attempted to fix the issue in version 7.14.5, the underlying flaw in ModuleScanner.php regarding PHP token parsing remains. The scanner incorrectly resets its internal state ($checkFunction flag) when encountering any single-character token (such as =, ., or ;). This allows attackers to hide dangerous function calls (e.g., system(), exec()) using variable assignments or string concatenation, completely evading the MLP security controls. Versions 7.15.1 and 8.9.3 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-24
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-29103
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
suitecrm suitecrm to 7.15.1 (exc)
suitecrm suitecrm From 8.0.0 (inc) to 8.9.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-358 The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Critical Remote Code Execution (RCE) flaw in SuiteCRM versions 7.15.0 and 8.9.2 that allows authenticated administrators to execute arbitrary system commands on the server.

The issue arises from a flaw in the ModuleScanner.php file's PHP token parsing logic, where the scanner incorrectly resets its internal state when encountering single-character tokens like =, ., or ;.

This flaw enables attackers to hide dangerous function calls such as system() or exec() using variable assignments or string concatenation, bypassing the security controls designed to prevent such executions.

The vulnerability is a direct patch bypass of a previous CVE (CVE-2024-49774), and it was fixed in SuiteCRM versions 7.15.1 and 8.9.3.


How can this vulnerability impact me? :

This vulnerability can have severe impacts as it allows an authenticated administrator to execute arbitrary system commands remotely.

Such remote code execution can lead to full system compromise, including unauthorized access to sensitive data, disruption of services, data loss, or further exploitation of the affected system.

Given the high CVSS score of 9.1, the vulnerability poses a critical risk to the confidentiality, integrity, and availability of the affected systems.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade SuiteCRM to versions 7.15.1 or 8.9.3, which contain patches addressing the issue.

Avoid using versions 7.15.0 and 8.9.2, as they are vulnerable to remote code execution by authenticated administrators.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart