SugarCRM vulnerabilities: known CVEs & security history
SugarCRM · CRM · 63 tracked CVEs · 1 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all SugarCRM release lines — 63 in total, with 1 actively exploited in the wild. A CVE here doesn't mean your version is affected — check SugarCRM's current status and the safe version to run.
Known SugarCRM CVEs
Actively-exploited and most-severe first. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2023-22952⚡ exploited | high | 8.8 | 80% | 2023 |
| CVE-2020-7472 | critical | 9.8 | 3% | 2020 |
| CVE-2012-0694 | critical | 9.8 | 67% | 2019 |
| CVE-2014-3244 | critical | 9.8 | 5% | 2018 |
| CVE-2018-6308 | critical | 9.8 | 1% | 2018 |
| CVE-2004-1225 | high | 10 | 2% | 2005 |
| CVE-2023-46816 | high | 8.8 | 1% | 2023 |
| CVE-2023-46815 | high | 8.8 | 1% | 2023 |
| CVE-2023-35811 | high | 8.8 | 1% | 2023 |
| CVE-2023-35809 | high | 8.8 | 1% | 2023 |
| CVE-2023-35808 | high | 8.8 | 1% | 2023 |
| CVE-2019-17313 | high | 8.8 | 2% | 2019 |
| CVE-2019-17312 | high | 8.8 | 2% | 2019 |
| CVE-2019-17311 | high | 8.8 | 2% | 2019 |
| CVE-2019-17308 | high | 8.8 | 1% | 2019 |
| CVE-2019-17305 | high | 8.8 | 1% | 2019 |
| CVE-2019-17303 | high | 8.8 | 1% | 2019 |
| CVE-2019-17302 | high | 8.8 | 1% | 2019 |
| CVE-2019-17300 | high | 8.8 | 1% | 2019 |
| CVE-2019-17298 | high | 8.8 | 1% | 2019 |
| CVE-2019-17297 | high | 8.8 | 1% | 2019 |
| CVE-2019-17296 | high | 8.8 | 1% | 2019 |
| CVE-2019-17295 | high | 8.8 | 1% | 2019 |
| CVE-2019-17294 | high | 8.8 | 1% | 2019 |
| CVE-2019-17293 | high | 8.8 | 1% | 2019 |
| CVE-2019-17319 | high | 8.8 | 1% | 2019 |
| CVE-2019-17318 | high | 8.8 | 1% | 2019 |
| CVE-2019-17316 | high | 8.8 | 1% | 2019 |
| CVE-2017-14509 | high | 8.8 | 6% | 2017 |
| CVE-2017-14508 | high | 8.8 | 3% | 2017 |
| CVE-2015-5946 | high | 7.8 | 2% | 2017 |
| CVE-2011-4833 | high | 7.5 | 2% | 2011 |
| CVE-2009-2978 | high | 7.5 | 1% | 2009 |
| CVE-2023-35810 | high | 7.2 | 1% | 2023 |
| CVE-2019-17314 | high | 7.2 | 2% | 2019 |
| CVE-2019-17310 | high | 7.2 | 1% | 2019 |
| CVE-2019-17309 | high | 7.2 | 1% | 2019 |
| CVE-2019-17307 | high | 7.2 | 1% | 2019 |
| CVE-2019-17306 | high | 7.2 | 1% | 2019 |
| CVE-2019-17304 | high | 7.2 | 1% | 2019 |
| CVE-2019-17301 | high | 7.2 | 1% | 2019 |
| CVE-2019-17299 | high | 7.2 | 1% | 2019 |
| CVE-2019-17292 | high | 7.2 | 1% | 2019 |
| CVE-2019-17317 | high | 7.2 | 1% | 2019 |
| CVE-2019-17315 | high | 7.2 | 1% | 2019 |
| CVE-2006-6712 | medium | 6.8 | 1% | 2006 |
| CVE-2006-2460 | medium | 6.4 | 10% | 2006 |
| CVE-2019-14974 | medium | 6.1 | 31% | 2019 |
| CVE-2018-17784 | medium | 6.1 | 4% | 2018 |
| CVE-2018-5715 | medium | 6.1 | 7% | 2018 |
| CVE-2017-14510 | medium | 6.1 | 1% | 2017 |
| CVE-2009-2146 | medium | 6 | 21% | 2009 |
| CVE-2020-36501 | medium | 5.4 | 1% | 2021 |
| CVE-2020-28956 | medium | 5.4 | 1% | 2021 |
| CVE-2020-28955 | medium | 5.4 | 1% | 2021 |
| CVE-2020-17372 | medium | 5.4 | 1% | 2020 |
| CVE-2020-17373 | medium | 5.3 | 1% | 2020 |
| CVE-2011-3803 | medium | 5 | 1% | 2011 |
| CVE-2008-2045 | medium | 5 | 5% | 2008 |
| CVE-2004-1226 | medium | 5 | 1% | 2005 |
| CVE-2010-0465 | medium | 4.3 | 1% | 2010 |
| CVE-2005-0266 | medium | 4.3 | 1% | 2005 |
| CVE-2011-0745 | medium | 4 | 6% | 2011 |
Is my SugarCRM version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your SugarCRM version → · Monitor SugarCRM for new CVEs →
SugarCRM vulnerabilities — frequently asked
How many known vulnerabilities does SugarCRM have?
IsItPatched tracks 63 CVEs for SugarCRM, 1 of which is actively exploited (CISA KEV). 4 are critical-severity and 41 high-severity. These span every release line — what matters is whether the version you run is affected.
Does SugarCRM have any actively-exploited vulnerabilities?
Yes — 1 SugarCRM CVE is in CISA's Known Exploited Vulnerabilities catalog, meaning it is confirmed exploited in the wild. Patch it as a priority.
What is the most severe SugarCRM vulnerability?
Among tracked issues, CVE-2023-22952 (HIGH, CVSS 8.8), which is actively exploited, ranks highest — a Improper input validation weakness.
Is SugarCRM safe to use?
It depends on the version. The latest supported SugarCRM release clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: SugarCRM security status · SugarCRM end-of-life · actively-exploited CVEs. Always verify against SugarCRM's advisories — see our disclaimer.