CVE-2025-54788 HIGH

CVE-2025-54788: SuiteCRM: Authenticated Blind SQL Injection in InboundEmail module

Vendor Suitecrm
Product SuiteCRM
Weakness CWE-89 · SQLi
Published August 6, 2025
Last update August 7, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions and below, the InboundEmail module allows the arbitrary execution of queries in the backend database, leading to SQL injection. This can have wide-reaching implications on confidentiality, integrity, and availability, as database data can be retrieved, modified, or removed entirely. This issue is fixed in version 7.14.7.

Key dates

02Disclosure timeline

August 6, 2025 CVE published
August 7, 2025 Record updated