CVE-2019-25450

7.5 HIGH
Published: February 22, 2026 Modified: March 02, 2026
View on NVD

Description

Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://www.exploit-db.com/exploits/47370
Source: disclosure@vulncheck.com
Exploit VDB Entry
https://www.vulncheck.com/advisories/dolibarr-erpcrm-sql-injection-via-cardphp
Source: disclosure@vulncheck.com
Broken Link

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.5 / 10.0
EPSS (Exploit Probability)
0.0%
12th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-89

Affected Vendors

dolibarr

Related CVEs

CVE-2026-2756 5.0
CVE-2019-25582 6.5
CVE-2019-25581 8.2
CVE-2019-25580 8.2
CVE-2019-25579 7.5