プラットフォーム
php
コンポーネント
suitecrm
修正版
7.15.2
CVE-2026-29100 identifies a reflected cross-site scripting (XSS) vulnerability within SuiteCRM versions up to 7.15.0. This flaw allows attackers to inject malicious HTML content into the login page, potentially leading to phishing attacks and unauthorized page modifications. The vulnerability impacts SuiteCRM installations running versions prior to 7.15.1, and a patch has been released to address the issue.
The reflected XSS vulnerability in SuiteCRM allows an attacker to craft a malicious URL containing injected HTML or JavaScript code. When a user clicks this link or visits a page containing the malicious code, the injected script executes within their browser context, impersonating the user. This can be exploited to steal session cookies, redirect users to phishing sites designed to harvest credentials, or deface the SuiteCRM login page. Successful exploitation could compromise sensitive customer data and internal system access, particularly if users are tricked into entering credentials on the malicious page.
CVE-2026-29100 was publicly disclosed on 2026-03-19. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it relatively easy to exploit. The EPSS score is likely medium, indicating a moderate probability of exploitation given the ease of exploitation and potential impact. It is not currently listed on the CISA KEV catalog.
Organizations using SuiteCRM versions 7.15.0 or earlier, particularly those with publicly accessible login pages or those who rely on SuiteCRM for sensitive customer data, are at risk. Shared hosting environments where multiple users share the same SuiteCRM instance are also particularly vulnerable.
• php / web:
curl -I 'https://your-suitecrm-domain.com/login.php?param=<script>alert(1)</script>' | grep -i content-type• generic web:
curl -I 'https://your-suitecrm-domain.com/login.php?param=<script>alert(1)</script>' | grep -i content-typedisclosure
エクスプロイト状況
EPSS
0.03% (10% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-29100 is to immediately upgrade SuiteCRM to version 7.15.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the login page to sanitize user-supplied data. Web application firewalls (WAFs) configured with rules to detect and block reflected XSS attacks can provide an additional layer of defense. Regularly review and update WAF rules to ensure effectiveness.
Actualice SuiteCRM a la versión 7.15.1 o superior. Esta versión corrige la vulnerabilidad de inyección HTML reflejada en la página de inicio de sesión.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-29100 is a reflected XSS vulnerability in SuiteCRM versions up to 7.15.0, allowing attackers to inject malicious HTML and potentially steal credentials or deface the login page.
You are affected if you are running SuiteCRM version 7.15.0 or earlier. Upgrade to 7.15.1 to mitigate the risk.
The recommended fix is to upgrade SuiteCRM to version 7.15.1 or later. Consider input validation and WAF rules as temporary mitigations if upgrading is not immediately possible.
While no active exploitation has been publicly confirmed, the ease of exploitation suggests a potential for attacks. Monitor your systems closely.
Refer to the SuiteCRM security advisories page for the latest information and official announcements regarding CVE-2026-29100.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。