Let the platform do the work


Advisory ID: https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001

Revision: 1.1

Last Updated: 2023-01-11

Status: Final


Risk Level: High

Vulnerability: RCE (Remote Code Execution)


A Remote Code Execution vulnerability has been identified in the EmailTemplates. Using a specially crafted request, custom PHP code can be injected through the EmailTemplates because of missing input validation. Any user privileges can exploit this vulnerability. 

Affected Products

The list of affected products reflects all currently maintained versions at the publication date of this advisory. If you are running older versions than the ones reported below, we strongly advise upgrading immediately to one of the supported versions.

Product Fixed Release
SugarCRM 12.0 
Enterprise, Sell, Serve 
SugarCRM 11.0 
Professional, Enterprise, Ultimate, Sell, Serve 


On-Site Customers

It is strongly recommended to upgrade the affected products to the reported fixed release version. For more information please refer to our FAQ

SugarCloud and SugarCRM Managed Hosting Customers

Hotfix has been applied to all Sugar supported versions. 


There is no workaround available for this vulnerability.

Publication History

2023-01-11 Update Fixed Release
2023-01-10 Update audience disclosure
2023-01-03 Internal disclosure

A stand-alone copy of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. SugarCRM reserves the right to change or update this document at any time.


The vulnerability has been responsibly disclosed by several SugarCRM partners and has been fixed by the SugarCRM Security Team.