Platform
php
Component
suitecrm
Fixed in
7.15.2
CVE-2026-29100 identifies a reflected cross-site scripting (XSS) vulnerability within SuiteCRM versions up to 7.15.0. This flaw allows attackers to inject malicious HTML content into the login page, potentially leading to phishing attacks and unauthorized page modifications. The vulnerability impacts SuiteCRM installations running versions prior to 7.15.1, and a patch has been released to address the issue.
The reflected XSS vulnerability in SuiteCRM allows an attacker to craft a malicious URL containing injected HTML or JavaScript code. When a user clicks this link or visits a page containing the malicious code, the injected script executes within their browser context, impersonating the user. This can be exploited to steal session cookies, redirect users to phishing sites designed to harvest credentials, or deface the SuiteCRM login page. Successful exploitation could compromise sensitive customer data and internal system access, particularly if users are tricked into entering credentials on the malicious page.
CVE-2026-29100 was publicly disclosed on 2026-03-19. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it relatively easy to exploit. The EPSS score is likely medium, indicating a moderate probability of exploitation given the ease of exploitation and potential impact. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-29100 is to immediately upgrade SuiteCRM to version 7.15.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the login page to sanitize user-supplied data. Web application firewalls (WAFs) configured with rules to detect and block reflected XSS attacks can provide an additional layer of defense. Regularly review and update WAF rules to ensure effectiveness.
Actualice SuiteCRM a la versión 7.15.1 o superior. Esta versión corrige la vulnerabilidad de inyección HTML reflejada en la página de inicio de sesión.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-29100 is a reflected XSS vulnerability in SuiteCRM versions up to 7.15.0, allowing attackers to inject malicious HTML and potentially steal credentials or deface the login page.
You are affected if you are running SuiteCRM version 7.15.0 or earlier. Upgrade to 7.15.1 to mitigate the risk.
The recommended fix is to upgrade SuiteCRM to version 7.15.1 or later. Consider input validation and WAF rules as temporary mitigations if upgrading is not immediately possible.
While no active exploitation has been publicly confirmed, the ease of exploitation suggests a potential for attacks. Monitor your systems closely.
Refer to the SuiteCRM security advisories page for the latest information and official announcements regarding CVE-2026-29100.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.