Dolibarr Dolibarr

  1. Vendors
  2. Dolibarr

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Dolibarr product.

RSS Feeds for Dolibarr security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Dolibarr products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Dolibarr Sorted by Most Security Vulnerabilities since 2018

Dolibarr Erpcrm94 vulnerabilities

Dolibarr83 vulnerabilities

By the Year

In 2026 there have been 4 vulnerabilities in Dolibarr with an average score of 6.7 out of ten. Last year, in 2025 Dolibarr had 4 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Dolibarr in 2026 could surpass last years number. Last year, the average CVE base score was greater by 2.23




Year Vulnerabilities Average Score
2026 4 6.70
2025 4 8.93
2024 9 7.48
2023 9 7.57
2022 14 7.19
2021 7 7.23
2020 20 6.70
2019 26 7.05
2018 10 8.64

It may take a day or so for new Dolibarr vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Dolibarr Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2019-25452 Feb 22, 2026
Dolibarr ERP/CRM 10.0.1 SQLi via viewcat.php elemid Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted POST requests with malicious SQL payloads in the elemid parameter to extract sensitive database information using error-based or time-based blind SQL injection techniques.
Dolibarr Erpcrm
CVE-2019-25450 Feb 22, 2026
SQLi in Dolibarr ERP/CRM 10.0.1 (card.php POST params) Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.
Dolibarr Erpcrm
CVE-2020-36966 Jan 30, 2026
Dolibarr 11.0.3 LDAP XSS via LDAP sync params Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. Attackers can exploit the host, slave, and port parameters in /dolibarr/admin/ldap.php to execute arbitrary JavaScript and potentially steal user cookie information.
Dolibarr
Dolibarr Erpcrm
CVE-2021-47779 Jan 15, 2026
Vuln: Dolibarr ERPCRM 14.0.2 XSS in Ticket Module Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the text, potentially enabling privilege escalation.
CVE-2025-56588 Oct 01, 2025
Dolibarr v21.0.1 RCE via User Module Computed Field Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed field parameter.
Dolibarr
CVE-2012-10059 Aug 13, 2025
Dolibarr ERP/CRM <=3.1.1/3.2.0: Post-auth OS Command Injection via export.php Dolibarr ERP/CRM versions <= 3.1.1 and <= 3.2.0 contain a post-authenticated OS command injection vulnerability in its database backup feature. The export.php script fails to sanitize the sql_compat parameter, allowing authenticated users to inject arbitrary system commands, resulting in remote code execution on the server.
Dolibarr
CVE-2024-55228 Jan 27, 2025
Dolibarr v21.0.0-beta XSS via Title in Product Module A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.
Dolibarr Erpcrm
Dolibarr
CVE-2024-55227 Jan 27, 2025
Dolibarr v21.0.0-beta XSS in Events/Agenda Title Param A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.
Dolibarr Erpcrm
Dolibarr
CVE-2021-3991 Nov 15, 2024
Dolibarr IA: Direct URL Bypass in Reception An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions.
Dolibarr Erpcrm
Dolibarr
CVE-2024-40137 Jul 24, 2024
Dolibarr ERP CRM RCE via Computed Field (v<19.0.2-php8.2) Dolibarr ERP CRM before 19.0.2-php8.2 was discovered to contain a remote code execution (RCE) vulnerability via the Computed field parameter under the Users Module Setup function.
Dolibarr
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.