SuiteCRM allows administrators to run arbitrary system commands

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.6

SuiteCRM allows administrators to run arbitrary system commands

CVE-2026-29109

Summary

An attacker with administrator privileges can execute system commands on the server running SuiteCRM. This could lead to unauthorized actions, data exposure, or even server compromise. Update to version 8.9.3 to fix this issue.

Original title

Original description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the server. `FilterDefinitionProvider.php` calls `unserialize()` on user-controlled data from the `saved_search.contents` database column without restricting instantiable classes. Version 8.9.3 patches the issue.

nvd CVSS4.0 8.6

Vulnerability type

CWE-502 Deserialization of Untrusted Data

https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-mhq2-277m-6w2...

Published: 20 Mar 2026 · Updated: 20 Mar 2026 · First seen: 20 Mar 2026