Every CVE whose affected-product data names Salesagility Suitecrm, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (105)
CVE-2024-36412 — CVSS 10.0 (critical): SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability…
CVE-2024-1644 — CVSS 9.9 (critical): Suite CRM version 7.14.2 allows including local php files. This is possible because the application is vulnerable to LFI.
CVE-2020-8803 — CVSS 9.8 (critical): SuiteCRM through 7.11.11 allows Directory Traversal to include arbitrary .php files within the webroot via add_to_prospect_list.
CVE-2019-12601 — CVSS 9.8 (critical): SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 3 of 3).
CVE-2020-8783 — CVSS 9.8 (critical): SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 1 of 4).
CVE-2020-8784 — CVSS 9.8 (critical): SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 2 of 4).
CVE-2020-8785 — CVSS 9.8 (critical): SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 3 of 4).
CVE-2020-8786 — CVSS 9.8 (critical): SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow SQL Injection (issue 4 of 4).
CVE-2022-50589 — CVSS 9.8 (critical): SuiteCRM versions prior to 7.12.6 contain a SQL injection vulnerability within the processing of the ‘uid’ parameter within the…
CVE-2019-12598 — CVSS 9.8 (critical): SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 1 of 3).
CVE-2019-6506 — CVSS 9.8 (critical): SuiteCRM before 7.8.28, 7.9.x and 7.10.x before 7.10.15, and 7.11.x before 7.11.3 allows SQL Injection.
CVE-2019-12600 — CVSS 9.8 (critical): SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before 7.11.5 allows SQL Injection (issue 2 of 3).
CVE-2024-36410 — CVSS 9.6 (critical): SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input…
CVE-2024-36409 — CVSS 9.6 (critical): SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input…
CVE-2024-36408 — CVSS 9.6 (critical): SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input…
CVE-2024-36411 — CVSS 9.6 (critical): SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input…
CVE-2024-36415 — CVSS 9.1 (critical): SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability…
CVE-2024-36413 — CVSS 8.9 (high): SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability…
CVE-2025-64492 — CVSS 8.8 (high): SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain…
CVE-2025-64488 — CVSS 8.8 (high): SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.7 and below and…
CVE-2025-54788 — CVSS 8.8 (high): SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions and below, the…
CVE-2025-54785 — CVSS 8.8 (high): SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0…
CVE-2024-50332 — CVSS 8.8 (high): SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Insufficient input value…
CVE-2024-49772 — CVSS 8.8 (high): SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In SuiteCRM versions 7.14.4, poor…
CVE-2020-28328 — CVSS 8.8 (high): SuiteCRM before 7.11.17 is vulnerable to remote code execution via the system settings Log File Name setting. In certain circumstances…
CVE-2023-6130 — CVSS 8.8 (high): Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
CVE-2021-41597 — CVSS 8.8 (high): SuiteCRM through 7.11.21 is vulnerable to CSRF, with resultant remote code execution, via the UpgradeWizard functionality, if a PHP file is…
CVE-2021-41869 — CVSS 8.8 (high): SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable to privilege escalation.
CVE-2021-42840 — CVSS 8.8 (high): SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving…
CVE-2021-45041 — CVSS 8.8 (high): SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection via the Tooltips action in the Project module, involving…
CVE-2023-3627 — CVSS 8.8 (high): Cross-Site Request Forgery (CSRF) in GitHub repository salesagility/suitecrm-core prior to 8.3.1.
CVE-2022-23940 — CVSS 8.8 (high): SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module…
CVE-2022-45185 — CVSS 8.8 (high): An issue was discovered in SuiteCRM 7.12.7. Authenticated users can use CRM functions to upload malicious files. Then, deserialization can…
CVE-2024-36416 — CVSS 8.6 (high): SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4…
CVE-2024-36418 — CVSS 8.5 (high): SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability…
CVE-2025-64489 — CVSS 8.3 (high): SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior…
CVE-2025-64490 — CVSS 8.3 (high): SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior…
CVE-2022-45186 — CVSS 8.1 (high): An issue was discovered in SuiteCRM 7.12.7. Authenticated users can recover an arbitrary field of a database.
CVE-2015-5948 — CVSS 8.1 (high): Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an…
CVE-2021-25961 — CVSS 8.0 (high): In “SuiteCRM” application, v7.1.7 through v7.10.31 and v7.11-beta through v7.11.20 fail to properly invalidate password reset links…
CVE-2021-25960 — CVSS 8.0 (high): In “SuiteCRM” application, v7.11.18 through v7.11.19 and v7.10.29 through v7.10.31 are affected by “CSV Injection” vulnerability…
CVE-2020-15301 — CVSS 7.8 (high): SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These…
CVE-2024-45392 — CVSS 7.7 (high): SuiteCRM is an open-source customer relationship management (CRM) system. Prior to version 7.14.5 and 8.6.2, insufficient access control…
CVE-2024-36414 — CVSS 7.7 (high): SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability…
CVE-2020-8787 — CVSS 7.5 (high): SuiteCRM 7.10.x versions prior to 7.10.23 and 7.11.x versions prior to 7.11.11 allow for an invalid Bean ID to be submitted.
CVE-2024-49774 — CVSS 7.2 (high): SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. SuiteCRM relies on the blacklist…
CVE-2022-27474 — CVSS 7.2 (high): SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field.
CVE-2019-25664 — CVSS 7.1 (high): SuiteCRM 7.10.7 contains a time-based SQL injection vulnerability in the record parameter of the Users module DetailView action that allows…
CVE-2019-25663 — CVSS 7.1 (high): SuiteCRM 7.10.7 contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL…
CVE-2024-50333 — CVSS 6.6 (medium): SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. User input is not validated and…
CVE-2025-64493 — CVSS 6.5 (medium): SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0…
CVE-2020-8804 — CVSS 6.5 (medium): SuiteCRM through 7.11.10 allows SQL Injection via the SOAP API, the EmailUIAjax interface, or the MailMerge module.
CVE-2025-41384 — CVSS 6.1 (medium): Cross-Site Scripting (XSS) vulnerability reflected in SuiteCRM v7.14.1. This vulnerability allows an attacker to execute JavaScript code by…
CVE-2021-45903 — CVSS 6.1 (medium): A persistent cross-site scripting (XSS) issue in the web interface of SuiteCRM before 7.10.35, and 7.11.x and 7.12.x before 7.12.2, allows…
CVE-2021-39268 — CVSS 6.1 (medium): Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary…
CVE-2021-39267 — CVSS 6.1 (medium): Persistent cross-site scripting (XSS) in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary…
CVE-2025-54783 — CVSS 6.1 (medium): SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.6 and below have a…
CVE-2025-54784 — CVSS 6.1 (medium): SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a Cross Site Scripting…
CVE-2018-20816 — CVSS 6.1 (medium): An XSS combined with CSRF vulnerability discovered in SalesAgility SuiteCRM 7.x before 7.8.24 and 7.10.x before 7.10.11 leads to cookie…
CVE-2025-64491 — CVSS 6.1 (medium): SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and below allow…
CVE-2018-15606 — CVSS 6.1 (medium): An XSS issue was discovered in SalesAgility SuiteCRM 7.x before 7.8.21 and 7.10.x before 7.10.8, related to phishing an error message.
CVE-2024-36417 — CVSS 5.7 (medium): SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, an unverified…
CVE-2023-6128 — CVSS 5.4 (medium): Cross-site Scripting (XSS) - Reflected in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
CVE-2023-6127 — CVSS 5.4 (medium): Unrestricted Upload of File with Dangerous Type in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.
CVE-2020-14208 — CVSS 5.4 (medium): SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow…
CVE-2021-31792 — CVSS 5.4 (medium): XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field
CVE-2024-36406 — CVSS 5.4 (medium): SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, unchecked…
CVE-2025-54786 — CVSS 5.3 (medium): SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the…
CVE-2021-41596 — CVSS 5.3 (medium): SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary…
CVE-2019-18782 — CVSS 5.3 (medium): SuiteCRM 7.10.x prior to 7.10.21 and 7.11.x prior to 7.11.9 does not correctly implement the .htaccess protection mechanism.
CVE-2022-50590 — CVSS 5.3 (medium): SuiteCRM versions prior to 7.12.6 contain a type confusion vulnerability within the processing of the ‘module’ parameter within the…
CVE-2024-49773 — CVSS 5.3 (medium): SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Poor input validation in export…
CVE-2021-41595 — CVSS 5.3 (medium): SuiteCRM before 7.10.33 and 7.11.22 allows information disclosure via Directory Traversal. An attacker can partially include arbitrary…
CVE-2023-6388 — CVSS 5.0 (medium): Suite CRM version 7.14.2 allows making arbitrary HTTP requests through the vulnerable server. This is possible because the application is…
CVE-2024-50335 — CVSS 4.9 (medium): SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. The "Publish Key" field in…
CVE-2023-3293 — CVSS 4.8 (medium): Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm-core prior to 8.3.0.
CVE-2023-6124 — CVSS 4.3 (medium): Server-Side Request Forgery (SSRF) in GitHub repository salesagility/suitecrm prior to 7.14.2, 8.4.2, 7.12.14.
CVE-2024-36419 — CVSS 4.3 (medium): SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows…
CVE-2024-36407 — CVSS 3.7 (low): SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, a user…
CVE-2025-54787 — CVSS 3.7 (low): SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a vulnerability in…
CVE-2023-47643 — CVSS 3.1 (low): SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without…