CVE-2026-29105
Received Received - Intake
Unauthenticated Open Redirect in SuiteCRM WebToLead Module

Publication date: 2026-03-19

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an unauthenticated open redirect vulnerability in the WebToLead capture functionality. A user-supplied POST parameter is used as a redirect destination without validation, allowing attackers to redirect victims to arbitrary external websites. This vulnerability allows attackers to abuse the trusted SuiteCRM domain for phishing and social engineering attacks by redirecting users to malicious external websites. Versions 7.15.1 and 8.9.3 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29105
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
suitecrm suitecrm to 7.15.1 (exc)
suitecrm suitecrm From 8.0.0 (inc) to 8.9.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in SuiteCRM, an open-source Customer Relationship Management software. Before versions 7.15.1 and 8.9.3, the WebToLead capture functionality contains an unauthenticated open redirect flaw. Specifically, a user-supplied POST parameter is used as a redirect destination without proper validation.

This means attackers can craft requests that cause SuiteCRM to redirect users to arbitrary external websites, potentially malicious ones.

Impact Analysis

The vulnerability allows attackers to abuse the trusted SuiteCRM domain to redirect users to malicious external websites. This can be used for phishing and social engineering attacks, tricking users into revealing sensitive information or downloading malware.

Because the redirect is unauthenticated and uses user-supplied input without validation, it can be exploited by anyone to target SuiteCRM users or visitors.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade SuiteCRM to version 7.15.1 or 8.9.3 or later, as these versions contain patches that fix the unauthenticated open redirect issue in the WebToLead capture functionality.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29105. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart