CVE-2022-50589 CRITICAL

CVE-2022-50589: SuiteCRM < 7.12.6 SQL Injection via 'export' Functionality

Vendor Suitecrm
Product SuiteCRM
Weakness CWE-89 · SQLi
Published November 6, 2025
Last update November 28, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

SuiteCRM versions prior to 7.12.6 contain a SQL injection vulnerability within the processing of the ‘uid’ parameter within the ‘export’ functionality. Successful exploitation allows remote unauthenticated attackers to ultimately execute arbitrary code.

Key dates

02Disclosure timeline

November 6, 2025 CVE published
November 28, 2025 Record updated