CVE-2019-25450

HIGH

Dolibarr ERP/CRM 10.0.1 - SQL Injection

Title source: llm

Description

Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.

Exploits (1)

exploitdb WORKING POC

by Metin Yunus Kandemir · textwebappsphp

https://www.exploit-db.com/exploits/47370

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/47370

[Third Party Advisory] https://www.vulncheck.com/advisories/dolibarr-erpcrm-sql-injection-via-cardphp

Scores

CVSS v3 7.5

EPSS 0.0005

EPSS Percentile 14.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (2)

Dolibarr/Dolibarr ERP/CRM 10.0.1

dolibarr/dolibarr_erp\/crm 10.0.1

Published Feb 22, 2026

Tracked Since Feb 22, 2026