Primary

Context

SuiteCRM Server-Side Request Forgery Vulnerability via PDF Export

Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in SuiteCRM versions prior to 7.15.1 and 8.9.3. This issue arises from the ability to create PDF templates that include `<img>` tags. When a PDF is exported using such a template, the image source is rendered on the server side, causing the server to issue a request to the specified URL. This behavior is facilitated by the PDF export library tc-lib-file, which is based on TCPDF.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where the server makes requests on behalf of an attacker. The impact of this vulnerability can vary depending on the server's network environment and the accessibility of internal resources.

Remediation

Users can upgrade to SuiteCRM versions 7.15.1 or 8.9.3 to address this vulnerability.

Added: Mar 19, 2026, 11:25 PM

Updated: Mar 19, 2026, 11:25 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

4.7

remediation

0.0

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

4.7

remediation

0.0

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SuiteCRM Server-Side Request Forgery Vulnerability via PDF Export

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating