CVE-2023-38891

HIGH

Vtiger CRM <7.5.0 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-38891. PoCs published by jselliott.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2023-38891, an authenticated SQL injection vulnerability in VTiger CRM v7.5.0. The writeup explains the root cause, proof-of-concept steps, and remediation, including a patch diff.

Description

SQL injection vulnerability in Vtiger CRM v.7.5.0 allows a remote authenticated attacker to escalate privileges via the getQueryColumnsList function in ReportRun.php.

Exploits (1)

nomisec WRITEUP 1 stars
by jselliott · poc
https://github.com/jselliott/CVE-2023-38891

This repository provides a detailed technical analysis of CVE-2023-38891, an authenticated SQL injection vulnerability in VTiger CRM v7.5.0. The writeup explains the root cause, proof-of-concept steps, and remediation, including a patch diff.

Classification
Writeup 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: VTiger Open Source CRM v7.5.0
Auth required
Prerequisites: Authenticated access to VTiger CRM · Ability to create/modify reports
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

Scores

CVSS v3 8.8
EPSS 0.0095
EPSS Percentile 56.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-89
Status published
Products (1)
vtiger/vtiger_crm 7.5.0
Published Sep 14, 2023
Tracked Since Feb 18, 2026