CVE-2026-29105
Received Received - Intake

Unauthenticated Open Redirect in SuiteCRM WebToLead Module

Vulnerability report for CVE-2026-29105, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-19

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an unauthenticated open redirect vulnerability in the WebToLead capture functionality. A user-supplied POST parameter is used as a redirect destination without validation, allowing attackers to redirect victims to arbitrary external websites. This vulnerability allows attackers to abuse the trusted SuiteCRM domain for phishing and social engineering attacks by redirecting users to malicious external websites. Versions 7.15.1 and 8.9.3 patch the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-19
Last Modified
2026-03-24
Generated
2026-07-06
AI Q&A
2026-03-20
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
suitecrm suitecrm to 7.15.1 (exc)
suitecrm suitecrm From 8.0.0 (inc) to 8.9.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in SuiteCRM, an open-source Customer Relationship Management software. Before versions 7.15.1 and 8.9.3, the WebToLead capture functionality contains an unauthenticated open redirect flaw. Specifically, a user-supplied POST parameter is used as a redirect destination without proper validation.

This means attackers can craft requests that cause SuiteCRM to redirect users to arbitrary external websites, potentially malicious ones.

Impact Analysis

The vulnerability allows attackers to abuse the trusted SuiteCRM domain to redirect users to malicious external websites. This can be used for phishing and social engineering attacks, tricking users into revealing sensitive information or downloading malware.

Because the redirect is unauthenticated and uses user-supplied input without validation, it can be exploited by anyone to target SuiteCRM users or visitors.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade SuiteCRM to version 7.15.1 or 8.9.3 or later, as these versions contain patches that fix the unauthenticated open redirect issue in the WebToLead capture functionality.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29105. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart