7.15.x Releases
7.15.1
Released 19th March 2026
Release Notes
Security
-
CVE: CVE-2026-29189: Improper Access Control | GitHub Advisory | Reporter: lighthousekeeper1212
-
CVE: CVE-2026-29100: HTML Injection Vulnerability | GitHub Advisory | Reporter: Dimitris Mitropoulos, University of Athens and National Infrastructures for Research and Technology - GRNET
-
CVE: CVE-2026-29098: Path Traversal Vulnerability | GitHub Advisory | Reporter: JBince
-
CVE: CVE-2026-29099: SQL Injection Vulnerability | GitHub Advisory | Reporter: JBince
-
CVE: CVE-2026-29102: RCE Vulnerability | GitHub Advisory | Reporter: Reuben Seah
-
CVE: CVE-2026-29101: Path Traversal Vulnerability | GitHub Advisory | Reporter: Reuben Seah
-
CVE: CVE-2026-29105: Open Redirect Vulnerability | GitHub Advisory | Reporter: d3dn0v4
-
CVE: CVE-2026-29104: Authenticated Arbitrary File Upload Vulnerability | GitHub Advisory | Reporter: d3dn0v4
-
CVE: CVE-2026-29106: XSS Vulnerability | GitHub Advisory | Reporter: Suphawith Phusanbai
-
CVE: CVE-2026-29107: Authenticated SSRF Vulnerability | GitHub Advisory | Reporter: Parnuski
-
CVE: CVE-2026-29097: SSRF and Dos Vulnerability | GitHub Advisory | Reporter: Ravindu Wickramasinghe (rvz)
-
CVE: CVE-2026-29103: RCE Vulnerability | GitHub Advisory | Reporter: DQH1
-
CVE: CVE-2026-29096: SQL Injection Vulnerability | GitHub Advisory | Reporter: q1uf3ng
-
CVE: CVE-2026-33288: SQL Vulnerability | GitHub Advisory | Reporter: Guilherme Mury (Kilserv)
-
CVE: CVE-2026-33288: LDAP Injection Vulnerability | GitHub Advisory | Reporter: Guilherme Mury (Kilserv)
Bug Fixes
-
PR: 10753 - Added Redis Password and configuration documentation to SugarCacheRedis.php
-
PR: 9388 - Optimise Export Memory Usage
-
PR: 7317 - Fix #7316 - Delete Vardefs files after deleting custom field
-
PR: 10751 - SugarApplication::redirect adds "Location", calling with "Location" doubles it result is not working
-
PR: 10781 - Fix #10780 issue with language file being overwritten
-
PR: 10631 - Fix #10630 - Scheduled task “Run Email Reminder Notifications” does not run when deleting a person
-
PR: 10707 - Fix #10621 - Localize checkbox values in PDF templates
-
PR: 10768 - Fix #10767 Image field comes with an extra "10" in image src
-
PR: 10677 - Fix #10676 - Remove old query which duplicates email address in table
-
PR: 10779 - Update Dependencies
-
PR: 10514 - Fix #10513 - When field to be updated is email1 then use new logic to update related email account record
-
PR: 10761 - Fix #10759 Fix issue with white screen on login after requesting 2nd 2FA code
-
PR: 10760 - Fix #9450 - Prevent Spaces in Grouped Report Ids
Community
Special thanks to the following members for their contributions and participation in this release!
Special thanks to everyone who reported the security issues addressed in this release!
Please visit the official website to find the appropriate upgrade package.
7.15.0
Released 18 December 2025
Release Notes
Lucene Search Deprecation
Lucene Global Search is now officially deprecated.
If you currently use Lucene, it will remain functional after the upgrade to 7.15.0. However, we strongly recommend transitioning to an alternative search mechanism, as support will be removed in a future release.
System & PHP Updates
-
Support for PHP 8.4: SuiteCRM is now fully compatible with PHP 8.4.
-
In PHP 8.4, the IMAP extension is no longer bundled. Ensure your environment is configured correctly. See PHP 8.4 Change Log.
-
-
Minimum Version Bump: To ensure security and performance, the minimum supported version is now PHP 8.1.
Better Control Over Email Imports
We have introduced more granular controls for automatic email importing to reduce server load and improve accuracy:
-
Unread Only: Fetch only unread emails during import.
-
Custom Start Points: Set a specific starting date/point for new mailbox imports.
-
Threshold Limits: Define the maximum number of emails imported per scheduled run.
Global defaults can be managed in Admin > Email Settings, or overridden for individual inbound accounts.
To see more information on these new configuration options, please refer to the Automatic Email Importing documentation.
Advanced Calendar Integration & Sync
The calendar experience has been overhauled with a focus on interoperability:
-
Calendar Invite Support: SuiteCRM meeting and call invites now support "Calendar Invite" functionality for both Google Calendar, Outlook and many more.
-
When a user receives a SuiteCRM meeting or call invite, they will be able to add the event directly to their calendar with a single click.
-
-
Admin Sync Settings: A new dedicated section in the Administration panel for global synchronization behavior.
-
New "Calendar Accounts" Module: Manage all connections (including new CalDAV support) directly from your User Profile.
To learn more about setting up Calendar integration and the configuration options available, please refer to the Calendar Configuration documentation.
Interface & Developer Enhancements
-
TinyMCE 8: The text editor has been upgraded to provide a consistent look and feel across all SuiteCRM modules.
-
Responsive Surveys: Improved CSS styling ensures that Surveys look professional and remain easy to use on mobile devices and tablets.
-
V8 API: OAuth Auth Code Grant: We now support the Authorization Code Grant flow, allowing for more secure, industry-standard authentication for external applications.
To learn more information on what an Auth Code Grant is and how to set it up, please refer to the OAuth Authorization Code Grant Type documentation.
Documentation Updates
New or updated guides are available for:
Community
Special thanks to the following members for their contributions and participation in this release!
Please visit the official website to find the appropriate upgrade package.
To report any security issues please follow our Security Policy