SQL injection in SuiteCRM - CVE-2026-33288
Published: April 24, 2026
Vulnerability identifier: #VU127398
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-33288
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: SalesAgility
Affected software:
SuiteCRM
SuiteCRM
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary SQL commands and escalate privileges.
The vulnerability exists due to improper neutralization of special elements used in an SQL command in the authentication module when processing a user-supplied username in a local database query. A remote user can supply a crafted username to execute arbitrary SQL commands and escalate privileges.
Exploitation requires valid low-privilege directory credentials and directory support to be enabled.
How to mitigate CVE-2026-33288
Install security update from vendor's website.