Critical severityNVD Advisory· Published Aug 13, 2025· Updated Apr 15, 2026

CVE-2012-10059

Description

Dolibarr ERP/CRM versions <= 3.1.1 and <= 3.2.0 contain a post-authenticated OS command injection vulnerability in its database backup feature. The export.php script fails to sanitize the sql_compat parameter, allowing authenticated users to inject arbitrary system commands, resulting in remote code execution on the server.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/dolibarr_cmd_exec.rbnvd
seclists.org/fulldisclosure/2012/Apr/78nvd
www.dolibarr.orgnvd
www.exploit-db.com/exploits/18724nvd
www.exploit-db.com/exploits/18725nvd
www.vulncheck.com/advisories/dolibarr-erp-crm-post-auth-os-command-injectionnvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.038
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000