Critical severity9.1NVD Advisory· Published Apr 17, 2026· Updated May 1, 2026

CVE-2026-23500

Description

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
dolibarr/dolibarrPackagist	<= 22.0.4	—

Affected products

Dolibarr/Dolibarr Erp\/crm
cpe:2.3:a:dolibarr:dolibarr_erp\/crm:*:*:*:*:*:*:*:*
Range: <23.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87wnvdExploitVendor AdvisoryWEB
github.com/advisories/GHSA-w5j3-8fcr-h87wghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-23500ghsaADVISORY
github.com/Dolibarr/dolibarr/releases/tag/23.0.0nvdProductRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.591
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000