Authenticated File Upload Vulnerability in Vtiger CRM Leading to Remote Code Execution (CVE-2026-23697)
A critical vulnerability (CVE-2026-23697) has been discovered in Vtiger CRM versions prior to 8.4.0. This authenticated file upload vulnerability allows low-privileged users to achieve remote code execution by uploading a .phar file containing arbitrary PHP code through the Documents module. The vulnerability has a CVSS score of 8.8 and is considered high severity. Organizations using affected versions of Vtiger CRM should immediately upgrade to version 8.4.0 or apply recommended mitigations.