How to fix CVE-2019-25452?

Within 24 hours: Identify all instances of Dolibarr 10.0.1 in production and take inventory of exposed data classifications. Within 7 days: Implement WAF rules to block POST requests to viewcat.php with SQL injection patterns in the elemid parameter, or restrict access to this endpoint via network firewall rules. Within 30 days: Upgrade to a patched Dolibarr version (11.0+) or transition to an alternative ERP/CRM platform if upgrade is not feasible.

Is PHP affected by CVE-2019-25452?

Dolibarr ERP/CRM version 10.0.1 contains a critical SQL injection vulnerability accessible to unauthenticated attackers, potentially exposing customer data, financial records, and business intelligence stored in the system.

CVE-2019-25452

HIGH

2026-02-22 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:04 vuln.today

PoC Detected

Mar 02, 2026 - 15:16 vuln.today

Public exploit code

CVE Published

Feb 22, 2026 - 14:16 nvd

HIGH 7.5

Description

Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted POST requests with malicious SQL payloads in the elemid parameter to extract sensitive database information using error-based or time-based blind SQL injection techniques.

Analysis

Technical Context

Classified as CWE-89 (SQL Injection). Affects the elemid POST component of Dolibarr Erp\/Crm. Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted POST requests with malicious SQL payloads in the elemid parameter to extract sensitive database information using error-based or time-based blind SQL injection techniques.

Affected Products

Vendor: Dolibarr. Product: Dolibarr Erp\/Crm. Versions: up to 10.0.1. Component: elemid POST.

Remediation

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: +20

CVE-2019-25452 vulnerability details – vuln.today

Back

CVE-2019-25452

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2019-25452

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code