PatchSiren

Vtiger CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Vtiger CVE published 2026-07-07

CVE-2026-23698

Vtiger CRM through 8.4.0 contains an authenticated remote code execution vulnerability in the admin module import feature. This vulnerability allows administrator-level attackers to upload arbitrary PHP files by submitting a crafted zip archive through the ModuleManager import function. The uploaded files are extracted directly into the modules/ directory under the web root without validating file types b [truncated]

HIGH Vtiger CVE published 2026-07-07

CVE-2026-23697

Vtiger CRM before 8.4.0 contains an authenticated file upload vulnerability that allows low-privileged users to achieve remote code execution by uploading a .phar file containing arbitrary PHP code through the Documents module, bypassing the extension denylist in config.inc.php which omits the .phar extension. This vulnerability has a high impact on affected deployments, as it allows attackers to execute [truncated]