Cyber Posture

CVE-2019-25710

HighPublic PoC

Published: 12 April 2026

Published
12 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0003 8.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25710 is a high-severity SQL Injection (CWE-89) vulnerability in Dolibarr Dolibarr Erp\/Crm. Its CVSS base score is 8.2 (High).

Operationally, ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Information input validation directly prevents SQL injection by sanitizing and validating the malicious rowid POST parameter before database queries.

SI-11 Error Handling good match
prevent

Error handling suppresses database error messages that enable error-based SQL injection techniques used in this CVE.

SI-2 Flaw Remediation good match
prevent

Flaw remediation requires patching the Dolibarr ERP-CRM SQL injection vulnerability to eliminate the arbitrary SQL query execution.

NVD Description

Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database…

more

information using error-based SQL injection techniques.

Deeper analysisAI

Dolibarr ERP-CRM version 8.0.4 suffers from an SQL injection vulnerability identified as CVE-2019-25710 (CWE-89) in the rowid POST parameter of the admin/dict.php endpoint. This flaw enables attackers to inject malicious SQL code, executing arbitrary SQL queries and extracting sensitive database information via error-based SQL injection techniques. The issue carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), highlighting its high severity due to network accessibility and significant confidentiality impact.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction or privileges required. Exploitation allows execution of arbitrary SQL queries, primarily achieving high-impact data extraction from the database, alongside low integrity modification potential and no availability effects.

Relevant advisories and resources include a proof-of-concept exploit detailed on Exploit-DB at https://www.exploit-db.com/exploits/46095 and a VulnCheck advisory at https://www.vulncheck.com/advisories/dolibarr-erp-crm-sql-injection-via-rowid-parameter. The official Dolibarr website is available at https://www.dolibarr.org/, along with the vulnerable version 8.0.4 download at https://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/8.0.4/dolibarr-8.0.4.zip.

Details

CWE(s)
CWE-89

Affected Products

dolibarr
dolibarr erp\/crm
≤ 8.0.4

CVEs Like This One

CVE-2019-25452Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2019-25450Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2024-55227Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2026-31019Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2025-56588Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2024-55228Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2026-22666Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2026-23500Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2026-31018Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2026-2094Shared CWE-89

References