Dolibarr

By the Year

In 2026 there have been 18 vulnerabilities in Dolibarr with an average score of 6.6 out of ten. Last year, in 2025 Dolibarr had 4 security vulnerabilities published. That is, 14 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 2.34

Recent Dolibarr Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-11619	Jun 09, 2026	Improper Auth in Dolibarr ERP CRM 23.0.2 Legacy Filemanager A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 23.0.3 is sufficient to resolve this issue. The identifier of the patch is f1b2dd6481e22cacb561d29ffdcd3a50b618479d. Upgrading the affected component is advised.	Erp Crm
CVE-2026-10215	Jun 01, 2026	Dolibarr ERP CRM <23.0.1 Improper Auth in Leave Request REST API A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 23.0.2 is recommended to address this issue. The identifier of the patch is ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73. Upgrading the affected component is advised.	Erp Crm
CVE-2026-10154	May 30, 2026	Dolibarr ERP/CRM Auth Bypass via messaging.php ID (23.0.2) A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to version 23.0.3 is sufficient to fix this issue. The name of the patch is 119b3606c7a701747a57a1f18b1a9e7666f678e2. It is suggested to upgrade the affected component.	Erp Crm
CVE-2026-37712	May 27, 2026	Dolibarr ERP/CRM v22.0.0v22.0.4 / v24.0.0-alpha RCE via cronjob.class.php An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/cron/class/cronjob.class.php, call_user_func_array() in function job type	Dolibarr
CVE-2026-37713	May 27, 2026	Remote Code Execution in Dolibarr v22.0.0v22.0.4, v24.0.0 via commonobject.class.php An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/class/commonobject.class.php.	Dolibarr
CVE-2018-25357	May 23, 2026	Dolibarr ERP 7.0.3 RCE via db_name Parameter Injection Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter.	Dolibarr Erpcrm
CVE-2025-67486	May 08, 2026	Authenticated RCE in Dolibarr <=22.0.2 via eval() in extrafields Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" field is passed to PHP's `eval()` function without adequate sanitization, allowing authenticated administrators to execute arbitrary PHP code on the server. As of time of publication, no patched versions are available.	Dolibarr
CVE-2026-7689	May 03, 2026	Dolibarr ERP CRM <23.0.2: Online Sig Mod Invalid Cryptographic Signature Verification (Remote) A security flaw has been discovered in Dolibarr ERP CRM up to 23.0.2. This vulnerability affects the function dol_verifyHash in the library htdocs/core/lib/security.lib.php of the component Online Signature Module. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-7688	May 03, 2026	Dolibarr ERP CRM 23.0.2 or earlier - Shipment API endpoint SQLi A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-31018	Apr 21, 2026	Dolibarr ERP&CRM <=22.0.4 PHP injection via Website module In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation.	Dolibarr