In Dolibarr ERP & CRM versions up to and including 21.0.1 a high severity vulnerability CVE-2025-56588 was detected. This vulnerability allows an authenticated attacker to execute arbitrary code on the underlying server, leading to Remote Code Execution (RCE). This occurs due to insecure processing of the computed field parameter within the User module configuration. By injecting malicious payloads into this configuration field, an attacker can bypass intended restrictions and run arbitrary system commands. To address this issue, users should upgrade Dolibarr ERP & CRM to a patched version version 21.0.3 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-56588.
Read more ERPIn Dolibarr ERP & CRM versions up to and including 22.0.4 a high severity vulnerability CVE-2026-31018 was detected. This vulnerability allows an authenticated user with restricted privileges (limited to HTML/JavaScript editing) to inject and execute arbitrary PHP code, potentially leading to Remote Code Execution (RCE) and privilege escalation. This occurs due to the inconsistent application of PHP code detection and permission enforcement within the Website module. During website page creation, certain input parameters remain unprotected, allowing an attacker to bypass intended restrictions and supply malicious PHP payloads. To address this issue, users should upgrade Dolibarr to a patched version 23.0.0 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-31018.
Read more ERPIn Dolibarr ERP/CRM version 6.0.0 a medium severity vulnerability CVE-2017-14240 was detected. This vulnerability allows attackers to access sensitive information due to a flaw in the document.php file via the file parameter. To address this issue, users should upgrade Dolibarr ERP/CRM to version 6.0.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2017-14240.
Read more ERPIn Dolibarr ERP/CRM versions before 5.0.3 a high severity vulnerability CVE-2017-9435 was detected. This vulnerability allows attackers to execute arbitrary SQL commands due to a SQL injection flaw in the search_supervisor and search_statut parameters within the user/index.php file. To address this issue, users should upgrade Dolibarr ERP/CRM to version 5.0.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2017-9435.
Read more ERPIn Dolibarr ERP/CRM version 3.8.3 a low severity vulnerability CVE-2016-1912 was detected. This vulnerability allows remote authenticated users to inject arbitrary web script or HTML via the lastname, firstname, email, job, or signature parameters to htdocs/user/card.php, leading to Cross-Site Scripting (XSS). To address this issue, users should upgrade Dolibarr ERP/CRM to versions 3.8.3 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2016-1912.
Read more ERPIn Dolibarr versions prior to 23.0.0 a critical severity vulnerability CVE-2026-23500 was detected. This vulnerability allows authenticated administrators to inject arbitrary OS commands and achieve remote code execution (RCE) as the web server user by manipulating the MAIN_ODT_AS_PDF configuration constant during the ODT to PDF conversion process. To address this issue, users should upgrade Dolibarr to version 23.0.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-23500.
Read more ERPIn Dolibarr ERP/CRM versions prior to 23.0.2 a high vulnerability CVE-2026-22666 allows authenticated administrators to achieve remote code execution through the dol_eval_standard() function. The function fails to properly enforce forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax, allowing attackers to inject malicious payloads via computed extrafields or other evaluation paths. To address this issue, users should upgrade Dolibarr to version 23.0.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22666.
Read more ERPIn Dolibarr versions 22.0.4 and prior a medium severity vulnerability CVE-2026-34036 was detected. This vulnerability allows an authenticated user with no specific privileges to read arbitrary non-PHP files on the server (e.g., .env, .htaccess, configuration backups, logs) by exploiting a Local File Inclusion (LFI) flaw in the `/core/ajax/selectobject.php` endpoint via the `objectdesc` parameter and a fail-open logic in the `restrictedArea()` access control function. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-34036.
Read more ERPIn Dolibarr ERP/CRM version 10.0.1 a high severity vulnerability CVE-2019-25450 was detected. This vulnerability allows authenticated attackers to execute arbitrary SQL queries via POST parameters such as `actioncode`, `demand_reason_id`, and `availability_id` in the `card.php` endpoint, potentially exposing sensitive database information through boolean-based blind, error-based, or time-based blind SQL injection techniques. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2019-25450.
Read more ERP