What is CVE-2009-20010?

CVE-2009-20010 is a vulnerability in Dogfood Crm, classified under OS Command Injection. Published 2025-08-30.

Is CVE-2009-20010 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Dogfood Crm

CVE-2009-20010

Dogfood CRM version 2.0.10 contains a remote command execution vulnerability in the spell.php script used by its mail subsystem. The vulnerability arises from unsanitized user input passed via a POST request to the data parameter, which is…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.647 (98.5th percentile) — read the EPSS interpretation.

Affected products

Dogfood Crm — versions 0

Weakness classification (CWE)

CWE-78 — OS Command Injection

Public proof-of-concept exploits

References

raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/u… (exploit)
www.exploit-db.com/exploits/16917 (exploit)
sourceforge.net/projects/dogfood/files/ (product)
www.fortiguard.com/encyclopedia/ips/28547/dogfood-crm-spell-remote-command-exec… (third-party-advisory)
www.vulncheck.com/advisories/dogfood-crm-rce (third-party-advisory)

Frequently asked questions

What is CVE-2009-20010?: CVE-2009-20010 is a vulnerability in Dogfood Crm, classified under OS Command Injection. Published 2025-08-30.
Is CVE-2009-20010 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.