CVE-2019-25452

HIGH

Dolibarr ERP/CRM 10.0.1 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25452. PoCs published by Metin Yunus Kandemir.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in Dolibarr ERP/CRM version 10.0.1 via the 'elemid' POST parameter. It includes both error-based and time-based blind SQL injection payloads, confirming the vulnerability's exploitability.

Description

Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted POST requests with malicious SQL payloads in the elemid parameter to extract sensitive database information using error-based or time-based blind SQL injection techniques.

Exploits (1)

exploitdb WORKING POC
by Metin Yunus Kandemir · textwebappsphp
https://www.exploit-db.com/exploits/47362

This exploit demonstrates a SQL injection vulnerability in Dolibarr ERP/CRM version 10.0.1 via the 'elemid' POST parameter. It includes both error-based and time-based blind SQL injection payloads, confirming the vulnerability's exploitability.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Dolibarr ERP/CRM 10.0.1
Auth required
Prerequisites: Valid session token · Access to the vulnerable endpoint
devstral-2 · analyzed Feb 22, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/47362

Scores

CVSS v3 7.5
EPSS 0.0037
EPSS Percentile 28.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (2)
Dolibarr/Dolibarr ERP/CRM 10.0.1
dolibarr/dolibarr_erp\/crm 10.0.1
Published Feb 22, 2026
Tracked Since Feb 22, 2026