CVE-2019-25669

HIGH NVD

CVSS Score 8.2

Severity HIGH

Published Apr 05, 2026

Vendor unknown

Description

qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the search_by_extrafields[] parameter. Attackers can send POST requests to the users endpoint with malicious search_by_extrafields[] values to trigger SQL syntax errors and extract database information.

References

http://qdpm.net
http://qdpm.net/download-qdpm-free-project-management
https://www.exploit-db.com/exploits/46387
https://www.vulncheck.com/advisories/qdpm-sql-injection-via-search-by-extrafields-parameter