CVE-2026-29105
Received Received - Intake
Unauthenticated Open Redirect in SuiteCRM WebToLead Module

Publication date: 2026-03-19

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an unauthenticated open redirect vulnerability in the WebToLead capture functionality. A user-supplied POST parameter is used as a redirect destination without validation, allowing attackers to redirect victims to arbitrary external websites. This vulnerability allows attackers to abuse the trusted SuiteCRM domain for phishing and social engineering attacks by redirecting users to malicious external websites. Versions 7.15.1 and 8.9.3 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-24
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-29105
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
suitecrm suitecrm to 7.15.1 (exc)
suitecrm suitecrm From 8.0.0 (inc) to 8.9.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in SuiteCRM, an open-source Customer Relationship Management software. Before versions 7.15.1 and 8.9.3, the WebToLead capture functionality contains an unauthenticated open redirect flaw. Specifically, a user-supplied POST parameter is used as a redirect destination without proper validation.

This means attackers can craft requests that cause SuiteCRM to redirect users to arbitrary external websites, potentially malicious ones.


How can this vulnerability impact me? :

The vulnerability allows attackers to abuse the trusted SuiteCRM domain to redirect users to malicious external websites. This can be used for phishing and social engineering attacks, tricking users into revealing sensitive information or downloading malware.

Because the redirect is unauthenticated and uses user-supplied input without validation, it can be exploited by anyone to target SuiteCRM users or visitors.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade SuiteCRM to version 7.15.1 or 8.9.3 or later, as these versions contain patches that fix the unauthenticated open redirect issue in the WebToLead capture functionality.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart