CVE-2019-25450

HIGH 7.5

Dolibarr ERP/CRM 10.0.1 SQL Injection via card.php

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.

CWE	CWE-89
Vendor	dolibarr
Product	dolibarr erp/crm
Published	Feb 22, 2026
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for dolibarr dolibarr erp/crm

Be the first to know when new high vulnerabilities affecting dolibarr dolibarr erp/crm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Dolibarr / Dolibarr ERP/CRM

10.0.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/47370 vulncheck.com: https://www.vulncheck.com/advisories/dolibarr-erpcrm-sql-injection-via-cardphp

Credits

Metin Yunus Kandemir (kandemir)