Dolibarr Erp/Crm
Approved changes feed: RSS · Atom
cpe:2.3:a:dolibarr:dolibarr_erp\/crm:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Dolibarr (63aa6448-b9f1-5072-badf-d5da7e178b3f) |
|---|---|
| Product | Dolibarr Erp/Crm (43fce236-1427-50a7-9efe-8afa61d3c40d) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-34036 |
vulnerable | 2026-06-08 07:59:11.696467 |
Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php
MEDIUM (6.5)
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…). At time of publication, there are no publicly available patches.
Published: 2026-03-31T01:39:38.178Z
Updated: 2026-03-31T13:57:45.230Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-31019 |
vulnerable | 2026-06-08 07:57:14.674886 |
Details available
In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code execution with the ability to execute arbitrary operating system commands on the server.
Published: 2026-04-21T00:00:00.000Z
Updated: 2026-04-21T18:23:33.693Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-31018 |
vulnerable | 2026-06-08 07:57:14.674538 |
Details available
In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation.
Published: 2026-04-21T00:00:00.000Z
Updated: 2026-04-21T15:31:23.441Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-23500 |
vulnerable | 2026-06-08 07:51:15.538024 |
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0.
Published: 2026-04-17T20:25:49.843Z
Updated: 2026-04-18T03:06:20.406Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-22666 |
vulnerable | 2026-06-08 07:51:13.564426 |
Dolibarr ERP/CRM < 23.0.2 Authenticated RCE via dol_eval_standard()
HIGH (7.2)
Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can inject malicious payloads through computed extrafields or other evaluation paths using PHP dynamic callable syntax to bypass validation and achieve arbitrary command execution via eval().
Published: 2026-04-07T12:41:31.280Z
Updated: 2026-04-07T13:43:14.034Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-67486 |
vulnerable | 2026-06-08 07:41:19.882028 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-40137 |
vulnerable | 2026-06-08 06:43:52.155910 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-37821 |
vulnerable | 2026-06-08 06:39:48.107000 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-31503 |
vulnerable | 2026-06-08 06:35:31.950225 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-29477 |
vulnerable | 2026-06-08 06:33:29.171953 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5842 |
vulnerable | 2026-06-08 06:19:44.884305 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5323 |
vulnerable | 2026-06-08 06:19:43.200358 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4198 |
vulnerable | 2026-06-08 06:16:11.756711 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-4197 |
vulnerable | 2026-06-08 06:16:11.756212 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-38888 |
vulnerable | 2026-06-08 06:08:18.940839 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-38887 |
vulnerable | 2026-06-08 06:08:18.940488 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-38886 |
vulnerable | 2026-06-08 06:08:18.939965 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-33568 |
vulnerable | 2026-06-08 06:06:23.286824 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-30253 |
vulnerable | 2026-06-08 06:02:43.947064 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-43138 |
vulnerable | 2026-06-08 05:49:31.145840 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-40871 |
vulnerable | 2026-06-08 05:48:28.265716 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-2060 |
vulnerable | 2026-06-08 05:42:50.176448 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0819 |
vulnerable | 2026-06-08 05:39:11.250582 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0746 |
vulnerable | 2026-06-08 05:39:10.752918 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0731 |
vulnerable | 2026-06-08 05:39:10.670645 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0414 |
vulnerable | 2026-06-08 05:39:09.997609 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0224 |
vulnerable | 2026-06-08 05:39:09.562740 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-0174 |
vulnerable | 2026-06-08 05:39:09.400357 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-3991 |
vulnerable | 2026-06-08 05:35:16.533146 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-36966 |
vulnerable | 2026-06-08 05:25:49.935437 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-25710 |
vulnerable | 2026-06-08 05:13:42.825333 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-25357 |
vulnerable | 2026-06-08 05:11:29.836960 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-9839 |
vulnerable | 2026-06-08 05:10:10.692543 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-9838 |
vulnerable | 2026-06-08 05:10:10.692146 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-18260 |
vulnerable | 2026-06-08 05:09:10.638384 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2017-18259 |
vulnerable | 2026-06-08 05:09:10.637953 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.