Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
SuiteCRM: Unauthorized Access to Admin Account
CVE-2026-33288
Summary
A security flaw in older versions of SuiteCRM allows an attacker to gain full control of the system by exploiting a weakness in the login process. This could allow an unauthorized user to gain access to sensitive data and make changes to the system. To fix this, update to SuiteCRM version 7.15.1 or later if you're using version 7 or version 8.9.3 or later if you're using version 8.
Original title
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM au...
Original description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue.
nvd CVSS3.1
8.8
Vulnerability type
CWE-89
SQL Injection
Published: 20 Mar 2026 · Updated: 20 Mar 2026 · First seen: 20 Mar 2026