Dolibarr Dolibarr

  1. Vendors
  2. Dolibarr

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Dolibarr product.

RSS Feeds for Dolibarr security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Dolibarr products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Dolibarr Sorted by Most Security Vulnerabilities since 2018

Dolibarr Erpcrm97 vulnerabilities

Dolibarr87 vulnerabilities

By the Year

In 2026 there have been 13 vulnerabilities in Dolibarr with an average score of 6.9 out of ten. Last year, in 2025 Dolibarr had 4 security vulnerabilities published. That is, 9 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 2.02




Year Vulnerabilities Average Score
2026 13 6.91
2025 4 8.93
2024 9 7.48
2023 9 7.57
2022 14 7.19
2021 7 7.23
2020 20 6.70
2019 26 7.05
2018 10 8.64

It may take a day or so for new Dolibarr vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Dolibarr Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2018-25357 May 23, 2026
Dolibarr ERP 7.0.3 RCE via db_name Parameter Injection Dolibarr ERP CRM 7.0.3 contains a remote code evaluation vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter.
Dolibarr Erpcrm
CVE-2025-67486 May 08, 2026
Authenticated RCE in Dolibarr <=22.0.2 via eval() in extrafields Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" field is passed to PHP's `eval()` function without adequate sanitization, allowing authenticated administrators to execute arbitrary PHP code on the server. As of time of publication, no patched versions are available.
Dolibarr
CVE-2026-7689 May 03, 2026
Dolibarr ERP CRM <23.0.2: Online Sig Mod Invalid Cryptographic Signature Verification (Remote) A security flaw has been discovered in Dolibarr ERP CRM up to 23.0.2. This vulnerability affects the function dol_verifyHash in the library htdocs/core/lib/security.lib.php of the component Online Signature Module. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-7688 May 03, 2026
Dolibarr ERP CRM 23.0.2 or earlier - Shipment API endpoint SQLi A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2026-31018 Apr 21, 2026
Dolibarr ERP&CRM <=22.0.4 PHP injection via Website module In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation.
Dolibarr
CVE-2026-23500 Apr 17, 2026
CVE-2026-23500 RCE via unsanitized ODT to PDF exec in Dolibarr <23.0.0 odf.php Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0.
Dolibarr
CVE-2019-25710 Apr 12, 2026
SQLi via rowid in Dolibarr 8.0.4 admin dict.php Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques.
Dolibarr Erpcrm
CVE-2026-22666 Apr 07, 2026
RCE in Dolibarr <23.0.2 via dol_eval_standard() eval() Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can inject malicious payloads through computed extrafields or other evaluation paths using PHP dynamic callable syntax to bypass validation and achieve arbitrary command execution via eval().
Dolibarr Erpcrm
CVE-2026-34036 Mar 31, 2026
Dolibarr 22.x LFI via /core/ajax/selectobject.php on objectdesc Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs). At time of publication, there are no publicly available patches.
Dolibarr
CVE-2019-25452 Feb 22, 2026
Dolibarr ERP/CRM 10.0.1 SQLi via viewcat.php elemid Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted POST requests with malicious SQL payloads in the elemid parameter to extract sensitive database information using error-based or time-based blind SQL injection techniques.
Dolibarr Erpcrm
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.