High severity8.2NVD Advisory· Published Apr 5, 2026· Updated Apr 20, 2026

CVE-2019-25675

Description

eDirectory contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to bypass administrator authentication and disclose sensitive files by injecting SQL code into parameters. Attackers can exploit the key parameter in the login endpoint with union-based SQL injection to authenticate as administrator, then leverage authenticated file disclosure vulnerabilities in language_file.php to read arbitrary PHP files from the server.

Affected products

Arcasolutions/Edirectory
cpe:2.3:a:arcasolutions:edirectory:*:*:*:*:*:*:*:*
Range: <=1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.exploit-db.com/exploits/46423nvdExploitVDB Entry
www.vulncheck.com/advisories/edirectory-all-versions-sql-injection-authentication-bypassnvdThird Party Advisory
www.edirectory.comnvdProduct

News mentions

No linked articles in our index yet.

cvss	0.533
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000