CVE-2009-20010 CRITICAL

CVE-2009-20010: Dogfood CRM spell.php RCE

Vendor Dogfood Crm

Product Dogfood CRM

Weakness CWE-78

Published August 30, 2025

Last update May 15, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Dogfood CRM version 2.0.10 contains a remote command execution vulnerability in the spell.php script used by its mail subsystem. The vulnerability arises from unsanitized user input passed via a POST request to the data parameter, which is processed by the underlying shell without adequate escaping. This allows attackers to inject arbitrary shell commands and execute them on the server. The flaw is exploitable without authentication and was discovered by researcher LSO.

Key dates

02Disclosure timeline

August 30, 2025 CVE published

May 15, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2009-20010

Related vulnerabilities

CVE-2009-20010: Dogfood CRM spell.php RCE

01Description

02Disclosure timeline

03References

04Related CVE