How to fix CVE-2019-25450?

Within 24 hours: Identify all systems running Dolibarr 10.0.1 and restrict database access to minimum required users; review access logs for suspicious POST parameter activity. Within 7 days: Deploy WAF rules to block SQL injection patterns in POST parameters; implement input validation and parameterized query enforcement at the application layer if accessible. Within 30 days: Upgrade to Dolibarr version 11.0 or later (post-10.0.1 releases contain patches); if upgrade is not feasible, decommission the affected instance or isolate it from production networks.

Is PHP affected by CVE-2019-25450?

Dolibarr ERP/CRM 10.0.1 contains authenticated SQL injection vulnerabilities that could allow internal users or compromised accounts to extract, modify, or delete sensitive business data from the database.

CVE-2019-25450

HIGH

2026-02-22 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:04 vuln.today

PoC Detected

Mar 02, 2026 - 15:16 vuln.today

Public exploit code

CVE Published

Feb 22, 2026 - 14:16 nvd

HIGH 7.5

Description

Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.

Analysis

Technical Context

Classified as CWE-89 (SQL Injection). Affects the POST component of Dolibarr Erp\/Crm. Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.

Affected Products

Vendor: Dolibarr. Product: Dolibarr Erp\/Crm. Versions: up to 10.0.1. Component: POST.

Remediation

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: +20

CVE-2019-25450 vulnerability details – vuln.today

Back

CVE-2019-25450

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2019-25450

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code