CVE-2019-25452
published 2026-02-22CVE-2019-25452: Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers…
PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.37%
29.1th percentile
Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted POST requests with malicious SQL payloads in the elemid parameter to extract sensitive database information using error-based or time-based blind SQL injection techniques.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dolibarr | dolibarr_erp_crm | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2019-25452: Dolibarr ERP/CRM 10
osv·2026-02-22·CVSS 8.8
CVE-2019-25452 [HIGH] CVE-2019-25452: Dolibarr ERP/CRM 10
Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted POST requests with malicious SQL payloads in the elemid parameter to extract sensitive database information using error-based or time-based blind SQL injection techniques.
GHSA
GHSA-ff6v-wx52-q8j8: Dolibarr ERP/CRM 10
ghsa_unreviewed·2026-02-22
CVE-2019-25452 [HIGH] CWE-89 GHSA-ff6v-wx52-q8j8: Dolibarr ERP/CRM 10
Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted POST requests with malicious SQL payloads in the elemid parameter to extract sensitive database information using error-based or time-based blind SQL injection techniques.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-02-22
Published