CVE-2026-29097
Published: 19 March 2026
Summary
CVE-2026-29097 is a high-severity SSRF (CWE-918) vulnerability in Suitecrm Suitecrm. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of inputs to the RSS Feed Dashlet, directly preventing SSRF exploitation by rejecting malicious URLs.
SC-5 implements DoS protections that mitigate the availability impact caused by SSRF-triggered resource exhaustion in SuiteCRM.
SI-2 ensures timely patching of the SuiteCRM RSS Feed Dashlet flaw, as versions 7.15.1 and 8.9.3 specifically address this SSRF/DoS vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing web app (SuiteCRM) directly enables remote unauthenticated exploitation (T1190) that triggers application-level DoS (T1499.004) with no C/I impact.
NVD Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery (SSRF) vulnerability combined with a Denial of Service (DoS) condition in the RSS Feed Dashlet component. Versions 7.15.1…
more
and 8.9.3 patch the issue.
Deeper analysisAI
CVE-2026-29097 is a Server-Side Request Forgery (SSRF) vulnerability combined with a Denial of Service (DoS) condition affecting the RSS Feed Dashlet component in SuiteCRM, an open-source Customer Relationship Management (CRM) software application. The issue impacts versions prior to 7.15.1 and 8.9.3. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact, and is associated with CWE-918.
Unauthenticated attackers with network access can exploit this vulnerability remotely with low complexity and no user interaction required. By manipulating the RSS Feed Dashlet, they can trigger SSRF to make unauthorized requests from the server, resulting in a DoS condition that disrupts service availability without affecting confidentiality or integrity.
SuiteCRM versions 7.15.1 and 8.9.3 address the vulnerability with patches. Additional details on mitigation and release notes are available in the SuiteCRM documentation at https://docs.suitecrm.com/admin/releases/7.15.x and the GitHub security advisory at https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-x3p2-qcqh-qx2m.
Details
- CWE(s)