The authors analyzed the open-source edition of SugarCRM, a popular customer relationship management software, using their code analysis technology after a recent manual audit. They found several severe security vulnerabilities, including multi-step PHP object injection, blind SQL injection exploitation via CSRF, and authenticated file disclosure, which were previously missed by the vendor's manual audit. The root cause of these issues was mainly a global input sanitization function that could not enable security for all different markup contexts. If successfully exploited, these vulnerabilities potentially allow an attacker to steal customer data and sensitive files from the server, but a fixed version has been released by the SugarCRM team and updates are urged for users.