High severity7.2NVD Advisory· Published May 8, 2026· Updated May 12, 2026

CVE-2025-67486

Description

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" field is passed to PHP's eval() function without adequate sanitization, allowing authenticated administrators to execute arbitrary PHP code on the server. As of time of publication, no patched versions are available.

Affected products

Dolibarr/Dolibarrreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/Dolibarr/dolibarr/blob/22.0.2/htdocs/core/lib/functions.lib.phpnvdPatch
medium.com/@abduxalilovjavohir/dolibarr-erp-authenticated-remote-code-execution-via-eval-injection-in-user-extrafields-dfc305d0118envdExploitThird Party Advisory

News mentions

Metasploit Wrap-Up 05/15/2026
Rapid7 Blog · May 15, 2026

cvss	0.468
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000