CVE-2026-29106

MEDIUM

SuiteCRM has blind XSS in return_id parameter

Title source: cna

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the value of the return_id request parameter is copied into the value of an HTML tag attribute which is an event handler and is encapsulated in double quotation marks. Versions 7.15.1 and 8.9.3 patch the issue. Users should also use a Content Security Policy (CSP) header to completely mitigate XSS.

References (2)

[X_Refsource_Confirm] https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7qrj-5hj6-7c2m

[X_Refsource_Misc] https://docs.suitecrm.com/admin/releases/7.15.x

Scores

CVSS v3 5.9

EPSS 0.0004

EPSS Percentile 12.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Details

CWE

CWE-116 CWE-159 CWE-79 CWE-80

Status published

Products (3)

suitecrm/suitecrm < 7.15.1

SuiteCRM/SuiteCRM < 7.15.1

SuiteCRM/SuiteCRM >= 8.0.0, < 8.9.3

Published Mar 19, 2026

Tracked Since Mar 20, 2026