VDB
CVE-2019-25450
CVE-2019-25450
PUBLISHED
Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.
EPSS 0.05% · 17.2th percentile
Risk Scores
EPSS Score
0.05%
17.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | dolibarr | 0, 3.5.5+dfsg1-2, 3.5.7+dfsg1-1 |
Exploit Intelligence
- https://www.exploit-db.com/exploits/47370 (nist-nvd)
- CIRCL seen: CVE-2019-25450 (circl-sighting)
- VulnCheck Advisory: Dolibarr ERP/CRM 10.0.1 SQL Injection via card.php (circl)
Timeline
- Feb 22, 2026 CVE Published
- Feb 23, 2026 EPSS Score
- Feb 25, 2026 EPSS Score
- Feb 26, 2026 EPSS Score
- Feb 26, 2026 PoC Published
- Feb 28, 2026 EPSS Score
- Mar 1, 2026 EPSS Score
- Mar 3, 2026 EPSS Score
- Mar 5, 2026 EPSS Score
- Mar 6, 2026 EPSS Score
- Mar 8, 2026 EPSS Score
- Mar 10, 2026 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-25450 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-25450 third-party-advisory
- https://www.exploit-db.com/exploits/47370 third-party-advisory
- https://www.vulncheck.com/advisories/dolibarr-erpcrm-sql-injection-via-cardphp third-party-advisory