CVE-2022-50590 HIGH

CVE-2022-50590: SuiteCRM < 7.12.6 Type Confusion via 'deleteAttachment' Functionality

Vendor Suitecrm
Product SuiteCRM
Weakness CWE-843
Published November 6, 2025
Last update November 28, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

SuiteCRM versions prior to 7.12.6 contain a type confusion vulnerability within the processing of the ‘module’ parameter within the ‘deleteAttachment’ functionality. Successful exploitation allows remote unauthenticated attackers to alter database objects including changing the email address of the administrator.

Key dates

02Disclosure timeline

November 6, 2025 CVE published
November 28, 2025 Record updated