{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29098", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T21:54:06.708Z", "datePublished": "2026-03-19T22:43:58.568Z", "dateUpdated": "2026-03-20T17:45:30.519Z"}, "containers": {"cna": {"title": "SuiteCRM has Relative Path Traversal via ModuleBuilder Modules ExportCustom Action", "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-6858-fhw5-56gf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-6858-fhw5-56gf"}, {"name": "https://docs.suitecrm.com/admin/releases/7.15.x", "tags": ["x_refsource_MISC"], "url": "https://docs.suitecrm.com/admin/releases/7.15.x"}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM", "versions": [{"version": "< 7.15.1", "status": "affected"}, {"version": ">= 8.0.0, < 8.9.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:47:11.424Z"}, "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the `$modules` and `$name` parameters. Both parameters later reach the `exportCustom` function in `modules/ModuleBuilder/MB/MBPackage.php` where they are both utilized in constructing s paths for file reading and writing. As such, it is possible for a user with access to the ModuleBuilder module, generally an administrator, to craft a request that can copy the content of any readable directory on the underlying host into the web root, making them readable. As the `ModuleBuilder` module is part of both major versions 7 and 8, both current major versions are affected. This vulnerability allows an attacker to copy any readable directory into the web root. This includes system files like the content of `/etc, or the root directory of the web server, potentially exposing secrets and environment variables. Versions 7.15.1 and 8.9.3 patch the issue."}], "source": {"advisory": "GHSA-6858-fhw5-56gf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T17:43:50.482877Z", "id": "CVE-2026-29098", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T17:45:30.519Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29098", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T17:43:50.482877Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T17:43:57.701Z"}}], "cna": {"title": "SuiteCRM has Relative Path Traversal via ModuleBuilder Modules ExportCustom Action", "source": {"advisory": "GHSA-6858-fhw5-56gf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM", "versions": [{"status": "affected", "version": "< 7.15.1"}, {"status": "affected", "version": ">= 8.0.0, < 8.9.3"}]}], "references": [{"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-6858-fhw5-56gf", "name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-6858-fhw5-56gf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://docs.suitecrm.com/admin/releases/7.15.x", "name": "https://docs.suitecrm.com/admin/releases/7.15.x", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the `$modules` and `$name` parameters. Both parameters later reach the `exportCustom` function in `modules/ModuleBuilder/MB/MBPackage.php` where they are both utilized in constructing s paths for file reading and writing. As such, it is possible for a user with access to the ModuleBuilder module, generally an administrator, to craft a request that can copy the content of any readable directory on the underlying host into the web root, making them readable. As the `ModuleBuilder` module is part of both major versions 7 and 8, both current major versions are affected. This vulnerability allows an attacker to copy any readable directory into the web root. This includes system files like the content of `/etc, or the root directory of the web server, potentially exposing secrets and environment variables. Versions 7.15.1 and 8.9.3 patch the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23: Relative Path Traversal"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:47:11.424Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29098", "state": "PUBLISHED", "dateUpdated": "2026-03-20T17:45:30.519Z", "dateReserved": "2026-03-03T21:54:06.708Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T22:43:58.568Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the `$modules` and `$name` parameters. Both parameters later reach the `exportCustom` function in `modules/ModuleBuilder/MB/MBPackage.php` where they are both utilized in constructing s paths for file reading and writing. As such, it is possible for a user with access to the ModuleBuilder module, generally an administrator, to craft a request that can copy the content of any readable directory on the underlying host into the web root, making them readable. As the `ModuleBuilder` module is part of both major versions 7 and 8, both current major versions are affected. This vulnerability allows an attacker to copy any readable directory into the web root. This includes system files like the content of `/etc, or the root directory of the web server, potentially exposing secrets and environment variables. Versions 7.15.1 and 8.9.3 patch the issue."}], "id": "CVE-2026-29098", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T23:16:41.747", "references": [{"source": "security-advisories@github.com", "url": "https://docs.suitecrm.com/admin/releases/7.15.x"}, {"source": "security-advisories@github.com", "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-6858-fhw5-56gf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.15.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.9.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SuiteCRM", "source": "cna", "vendor": "SuiteCRM"}, "product": "suitecrm", "vendor": "suitecrm"}], "analysis": {"en": {"generated_at": "2026-03-20T00:27:20.417385+00:00", "value": {"mitigation_remediation": ["Apply the official patch: upgrade SuiteCRM to version 7.15.1 or 8.9.3.", "If an upgrade is not immediately possible, restrict or remove access to the ModuleBuilder module for regular users, limiting it to administrators only.", "Verify that no modules or custom code reintroduce old path traversal logic prior to patching.", "After applying the patch, validate that the ModuleBuilder exportCustom action no longer accepts malicious paths and that file copies are not placed in the web root.", "Check the vendor\u2019s release notes or security advisories for any further updates or mitigation advice."], "summary": {"action": "Apply Patch", "impact": "Data Disclosure"}, "threat_synthesis": {"affected_systems": "SuiteCRM versions 7.0\u20117.15.0 (prior to 7.15.1) and 8.0\u20118.9.2 (prior to 8.9.3) are affected. The problem exists in the ModuleBuilder component of both major releases. Patching to version 7.15.1 or 8.9.3 removes the flaw.", "description_and_impact": "The vulnerability exists because the action_exportCustom function in SuiteCRM\u2019s ModuleBuilder controller fails to neutralize path traversal sequences in the modules and name parameters. As a result, an authenticated user with access to the ModuleBuilder module \u2013 normally an administrator \u2013 can supply crafted values that cause the system to read any file or directory that the web server can read and then copy the contents into the web root, making the files publicly viewable.\n\nThe vulnerability directly affects SuiteCRM project versions prior to 7.15.1 and 8.9.3. Both the 7 and 8 major releases include the vulnerable ModuleBuilder module, so any deployment of these software lines without the patch is susceptible.\n\nThe risk assessment shows a CVSS score of 4.9, indicating moderate impact. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the ModuleBuilder module; therefore, attackers must be privileged users within the application and can target the web\u2011server file system that is readable by the user running the web process.", "risk_and_exploitability": "This path traversal flaw carries a moderate CVSS score (4.9). Because it requires authenticated access to the ModuleBuilder module, the likelihood of exploitation depends on attacker privilege\u2011level within the CRM. The vulnerability is not currently tracked in the KEV database, and EPSS data is not provided, so existing exploit activity cannot be quantified. Nevertheless, if an attacker gains administrative rights, they could exfiltrate configuration data or other secrets by copying files into the web root, where they become publicly accessible."}}}}, "created": "2026-03-20T08:54:38.995407+00:00", "updated": "2026-03-20T10:44:07.147917+00:00", "vendors": ["suitecrm", "suitecrm$PRODUCT$suitecrm"]}