CVE-2019-25446

HIGH

DIGIT CENTRIS ERP - Unauthenticated SQL Injection via datum1, datum2, KID, and PID Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25446. PoCs published by n1x_.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in DIGIT CENTRIS 4 ERP via the 'datum1', 'datum2', 'KID', and 'PID' parameters in a POST request to 'korisnikinfo.php'. The payload injects single quotes to break the SQL query structure, confirming the vulnerability.

Description

DIGIT CENTRIS ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the datum1, datum2, KID, and PID parameters. Attackers can send POST requests to /korisnikinfo.php with malicious SQL syntax in these parameters to extract or modify sensitive database information.

Exploits (1)

exploitdb WORKING POC
by n1x_ · textwebappsphp
https://www.exploit-db.com/exploits/47401

This exploit demonstrates a SQL injection vulnerability in DIGIT CENTRIS 4 ERP via the 'datum1', 'datum2', 'KID', and 'PID' parameters in a POST request to 'korisnikinfo.php'. The payload injects single quotes to break the SQL query structure, confirming the vulnerability.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: DIGIT CENTRIS 4 ERP (all versions)
No auth needed
Prerequisites: Network access to the target application
devstral-2 · analyzed Feb 22, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/47401

Scores

CVSS v3 8.2
EPSS 0.0023
EPSS Percentile 13.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
Digit-Rs/DIGIT CENTRIS
Published Feb 22, 2026
Tracked Since Feb 22, 2026