CVE-2019-25710 HIGH

CVE-2019-25710: Dolibarr ERP-CRM 8.0.4 SQL Injection via rowid Parameter

Vendor Dolibarr

Product Dolibarr ERP-CRM

Weakness CWE-89 · SQLi

Published April 12, 2026

Last update April 13, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques.

Key dates

02Disclosure timeline

April 12, 2026 CVE published

April 13, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-25710 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

04Related CVE

CVE-2025-13138 WP Directory Kit <= 1.4.3 - Unauthenticated SQL Injection via select_2_ajax() Function CVE-2025-14529 Campcodes Retro Basketball Shoes Online Store admin_running.php sql injection CVE-2024-11819 1000 Projects Portfolio Management System MCA forgot_password_process.php sql injection CVE-2015-10051 bony2023 Discussion-Board main.php display_all_replies sql injection CVE-2025-22710 WordPress Smart Manager Plugin <= 8.52.0 - SQL Injection vulnerability