SB2026042404 - Multiple vulnerabilities in SuiteCRM
Published: April 24, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2025-64490)
The vulnerability allows a remote user to bypass access controls and view and create restricted work items.
The vulnerability exists due to improper access control in the Resource Calendar, project screens, and cross-module role enforcement when handling requests to restricted modules and views. A remote user can access Resource Calendar and project functionality to bypass access controls and view and create restricted work items.
The issue affects modules and views that were explicitly set to disabled or none in role management.
2) Improper Authorization (CVE-ID: CVE-2025-64489)
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in the Users module when handling requests from an inactive account with an existing authenticated session. A remote user can modify their own profile status field to escalate privileges.
Active sessions remain usable after the account is marked inactive.
3) Cross-site scripting (CVE-ID: CVE-2025-64491)
The vulnerability allows a remote attacker to execute arbitrary JavaScript in the victim's browser.
The vulnerability exists due to cross-site scripting in the login page when handling a crafted malicious link. A remote attacker can send a specially crafted link to execute arbitrary JavaScript in the victim's browser.
User interaction is required to open a crafted malicious link.
4) SQL injection (CVE-ID: CVE-2025-64488)
The vulnerability allows a remote user to disclose sensitive information and compromise the database.
The vulnerability exists due to SQL injection in the Reschedule Call module when processing a crafted call_id parameter. A remote user can send a specially crafted call_id value to disclose sensitive information and compromise the database.
Remediation
Install update from vendor's website.
References
- https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-jh8v-wqgj-hhc2
- https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-j6jg-9jj3-q2ph
- https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-prfm-6667-x3mv
- https://github.com/advisories/GHSA-prfm-6667-x3mv
- https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5v53-v44q-ww2c