Unrated severityNVD Advisory· Published Feb 22, 2026· Updated Apr 7, 2026

Dolibarr ERP/CRM 10.0.1 SQL Injection via card.php

CVE-2019-25450

Description

Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.

Affected products

Dolibarr/Dolibarrllm-fuzzy
Range: <=10.0.1
Dolibarr/Dolibarr ERP/CRMv5
Range: 10.0.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.exploit-db.com/exploits/47370mitreexploit
www.vulncheck.com/advisories/dolibarr-erpcrm-sql-injection-via-cardphpmitrethird-party-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000