CVE-2019-25675 HIGH

CVE-2019-25675: eDirectory All Versions SQL Injection Authentication Bypass

Vendor Edirectory
Product eDirectory
Weakness CWE-89 · SQLi
Published April 5, 2026
Last update April 6, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

eDirectory contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to bypass administrator authentication and disclose sensitive files by injecting SQL code into parameters. Attackers can exploit the key parameter in the login endpoint with union-based SQL injection to authenticate as administrator, then leverage authenticated file disclosure vulnerabilities in language_file.php to read arbitrary PHP files from the server.

Key dates

02Disclosure timeline

April 5, 2026 CVE published
April 6, 2026 Record updated