CVE-2025-45868
Received Received - Intake

Blind SQL Injection in LogicalDOC Enterprise

Vulnerability report for CVE-2025-45868, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: MITRE

Description

LogicalDOC Enterprise up to and for v9.1.1 is vulnerable to blind SQL injection in the ComparisonServlet component, allowing authenticated user to manipulate SQL queries via crafted input.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
logicaldoc enterprise to 9.1.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-45868 is a blind SQL injection vulnerability in LogicalDOC Enterprise versions up to 9.1.1. It affects the ComparisonServlet component, specifically the /compare endpoint which processes parameters like docId1, docId2, fileVersion1, and fileVersion2. The vulnerability arises because fileVersion1 and fileVersion2 are used to build an HQL query without proper sanitization or parameter binding, allowing authenticated users to inject crafted expressions.

Detection Guidance

To detect this vulnerability, monitor HTTP requests to the /compare endpoint with parameters like docId1, docId2, fileVersion1, and fileVersion2. Look for unusual SQL-like expressions in these parameters. Use tools like Burp Suite or sqlmap to test for blind SQL injection by sending crafted inputs and observing error responses or PDF generation.

Impact Analysis

An attacker with low privileges could exploit this to manipulate SQL queries and infer database values character by character. This may expose sensitive data such as usernames, email addresses, password hashes, or other confidential records. The attack could lead to information disclosure and potential privilege escalation within the system.

Compliance Impact

This vulnerability could lead to unauthorized access and exposure of sensitive personal data, violating compliance requirements under GDPR and HIPAA. GDPR mandates protection of personal data, while HIPAA requires safeguarding protected health information. A breach could result in legal penalties, reputational damage, and loss of trust.

Mitigation Strategies

Immediately upgrade to LogicalDOC 9.2 or apply the vendor patch. Ensure HQL/SQL queries use parameterized inputs and validate fileVersion1 and fileVersion2 strictly. Restrict access to the /compare endpoint to authorized users only and monitor for suspicious activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-45868. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart