CVE-2025-64491 MEDIUM

CVE-2025-64491: SuiteCRM is vulnerable to unauthenticated reflected XSS through its Login page

Vendor Suitecrm
Product SuiteCRM
Weakness CWE-79 · XSS
Published November 8, 2025
Last update November 10, 2025

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and below allow unauthenticated reflected Cross-Site Scripting (XSS). Successful exploitation could lead to full account takeover, for example by altering the login form to send credentials to an attacker-controlled server. As a reflected XSS issue, exploitation requires the victim to open a crafted malicious link, which can be delivered via phishing, social media, or other communication channels. This issue is fixed in version 7.14.8.

Key dates

02Disclosure timeline

November 8, 2025 CVE published
November 10, 2025 Record updated

Related vulnerabilities

04Related CVE