CVE-2019-25663

HighPublic PoC

Published: 05 April 2026

Published

05 April 2026

Modified

20 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0006 18.0th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25663 is a high-severity SQL Injection (CWE-89) vulnerability in Salesagility Suitecrm. Its CVSS base score is 7.1 (High).

Operationally, ranked at the 18.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection attacks like CVE-2019-25663 by validating and sanitizing user inputs such as the parentTab parameter before database query construction.

SI-2 Flaw Remediation good match

prevent

Ensures timely identification, reporting, and patching of known flaws like CVE-2019-25663 in SuiteCRM, eliminating the SQL injection vulnerability.

SC-7 Boundary Protection good match

prevent

Boundary protection mechanisms such as web application firewalls can inspect and block malicious GET requests containing SQL injection payloads in the parentTab parameter.

NVD Description

SuiteCRM 7.10.7 contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the parentTab parameter. Attackers can send GET requests to the email module with malicious parentTab values using boolean-based SQL injection…

techniques to extract sensitive database information.

Deeper analysisAI

CVE-2019-25663 is a SQL injection vulnerability (CWE-89) present in SuiteCRM version 7.10.7. The flaw resides in the email module, where the parentTab parameter fails to properly sanitize user input, enabling attackers to inject malicious SQL code into database queries via GET requests.

Authenticated attackers with low privileges (PR:L) can exploit this vulnerability remotely (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By crafting GET requests to the email module with specially formatted parentTab values using boolean-based blind SQL injection techniques, they can extract sensitive information from the database. The CVSS v3.1 base score of 7.1 reflects high confidentiality impact (C:H), low integrity impact (I:L), and no availability impact (A:N), with no scope change (S:U).

Advisories such as the VulnCheck report at https://www.vulncheck.com/advisories/suitecrm-sql-injection-via-parenttab-parameter detail the issue, while patches and updates are available via the official SuiteCRM download page at https://suitecrm.com/download/. A proof-of-concept exploit is publicly documented at https://www.exploit-db.com/exploits/46310.

This vulnerability was published on 2026-04-05, and the availability of an Exploit-DB entry indicates active proof-of-concept code for potential real-world exploitation testing.