Dolibarr

By the Year

In 2026 there have been 8 vulnerabilities in Dolibarr with an average score of 7.0 out of ten. Last year, in 2025 Dolibarr had 4 security vulnerabilities published. That is, 4 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 1.98

Recent Dolibarr Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-23500	Apr 17, 2026	CVE-2026-23500 RCE via unsanitized ODT to PDF exec in Dolibarr <23.0.0 odf.php Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0.	Dolibarr
CVE-2019-25710	Apr 12, 2026	SQLi via rowid in Dolibarr 8.0.4 admin dict.php Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques.	Dolibarr Erpcrm
CVE-2026-22666	Apr 07, 2026	RCE in Dolibarr <23.0.2 via dol_eval_standard() eval() Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can inject malicious payloads through computed extrafields or other evaluation paths using PHP dynamic callable syntax to bypass validation and achieve arbitrary command execution via eval().	Dolibarr Erpcrm
CVE-2026-34036	Mar 31, 2026	Dolibarr 22.x LFI via /core/ajax/selectobject.php on objectdesc Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs). At time of publication, there are no publicly available patches.	Dolibarr
CVE-2019-25452	Feb 22, 2026	Dolibarr ERP/CRM 10.0.1 SQLi via viewcat.php elemid Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted POST requests with malicious SQL payloads in the elemid parameter to extract sensitive database information using error-based or time-based blind SQL injection techniques.	Dolibarr Erpcrm
CVE-2019-25450	Feb 22, 2026	SQLi in Dolibarr ERP/CRM 10.0.1 (card.php POST params) Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.	Dolibarr Erpcrm
CVE-2020-36966	Jan 30, 2026	Dolibarr 11.0.3 LDAP XSS via LDAP sync params Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. Attackers can exploit the host, slave, and port parameters in /dolibarr/admin/ldap.php to execute arbitrary JavaScript and potentially steal user cookie information.	Dolibarr Dolibarr Erpcrm
CVE-2021-47779	Jan 15, 2026	Vuln: Dolibarr ERPCRM 14.0.2 XSS in Ticket Module Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the text, potentially enabling privilege escalation.
CVE-2025-56588	Oct 01, 2025	Dolibarr v21.0.1 RCE via User Module Computed Field Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed field parameter.	Dolibarr
CVE-2012-10059	Aug 13, 2025	Dolibarr ERP/CRM <=3.1.1/3.2.0: Post-auth OS Command Injection via export.php Dolibarr ERP/CRM versions <= 3.1.1 and <= 3.2.0 contain a post-authenticated OS command injection vulnerability in its database backup feature. The export.php script fails to sanitize the sql_compat parameter, allowing authenticated users to inject arbitrary system commands, resulting in remote code execution on the server.	Dolibarr