Description
Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques.
Published: 2026-04-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection enabling arbitrary database queries leading to data exposure
Action: Immediate Patch
AI Analysis

Impact

Dolibarr ERP‑CRM version 8.0.4 contains an SQL injection flaw in the rowid parameter of the admin dict.php endpoint. The input is not validated, allowing attackers to inject and execute arbitrary SQL statements via a POST request. This can expose sensitive database information such as user credentials, financial records, or any other tables accessible to the database user. The weakness is a classic SQL injection (CWE‑89).

Affected Systems

Dolibarr ERP‑CRM version 8.0.4 is affected. No other versions are listed as impacted in the available data.

Risk and Exploitability

The severity score of 8.8 classifies the vulnerability as high risk. No EPSS information is available, and it is not included in the CISA KEV catalog. The likely attack path involves a web‑based POST request to the admin dict.php endpoint, which normally requires administrator authentication. If an attacker gains access to the administrative interface, they can inject malicious SQL through error‑based techniques and retrieve or manipulate sensitive data. Proper access control and input validation are crucial to mitigate this risk.

Generated by OpenCVE AI on April 12, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Dolibarr ERP‑CRM update that addresses the SQL injection issue.
  • If an upgrade cannot be performed immediately, restrict access to the admin dict.php page to a minimal set of trusted personnel and monitor for anomalous queries.
  • Consider disabling or restricting the rowid functionality if it is not required in your environment.
  • Verify that all database interactions in the application use parameterized queries and input validation to prevent future injection attempts.

Generated by OpenCVE AI on April 12, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xxxg-x793-7fq3 Dolibarr has SQL injection vulnerability in the rowid parameter of the admin dict.php
History

Fri, 17 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dolibarr:dolibarr_erp\/crm:*:*:*:*:*:*:*:*

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Dolibarr dolibarr Erp/crm
Vendors & Products Dolibarr dolibarr Erp/crm

Mon, 13 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 12 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques.
Title Dolibarr ERP-CRM 8.0.4 SQL Injection via rowid Parameter
First Time appeared Dolibarr
Dolibarr dolibarr Erp\/crm
Weaknesses CWE-89
CPEs cpe:2.3:a:dolibarr:dolibarr_erp\/crm:8.0.4:*:*:*:*:*:*:*
Vendors & Products Dolibarr
Dolibarr dolibarr Erp\/crm
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Dolibarr Dolibarr Erp/crm Dolibarr Erp\/crm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-13T12:07:35.021Z

Reserved: 2026-04-12T12:16:07.503Z

Link: CVE-2019-25710

cve-icon Vulnrichment

Updated: 2026-04-13T12:07:30.483Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-12T13:16:34.127

Modified: 2026-04-17T14:25:58.687

Link: CVE-2019-25710

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:54:09Z

Weaknesses