VYPR

Dolibarr

by Dolibarr

Source repositories

CVEs (90)

  • CVE-2012-10059CriAug 13, 2025
    risk 0.69cvss epss 0.03

    Dolibarr ERP/CRM versions <= 3.1.1 and <= 3.2.0 contain a post-authenticated OS command injection vulnerability in its database backup feature. The export.php script fails to sanitize the sql_compat parameter, allowing authenticated users to inject arbitrary system commands,…

  • CVE-2018-25357CriMay 23, 2026
    risk 0.64cvss 9.8epss 0.02

    Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the…

  • CVE-2017-7888CriMay 10, 2017
    risk 0.64cvss 9.8epss 0.01

    Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier.

  • CVE-2017-7886CriMay 10, 2017
    risk 0.64cvss 9.8epss 0.02

    Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css.php via the lang parameter.

  • CVE-2025-69634CriFeb 12, 2026
    risk 0.59cvss 9.0epss 0.00

    Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur if an unprivileged user knows the token…

  • CVE-2017-17900CriDec 27, 2017
    risk 0.57cvss 9.8epss 0.02

    SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the socid parameter.

  • CVE-2017-17899CriDec 27, 2017
    risk 0.57cvss 9.8epss 0.02

    SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter.

  • CVE-2017-17897CriDec 27, 2017
    risk 0.57cvss 9.8epss 0.02

    SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2017-14242CriSep 11, 2017
    risk 0.57cvss 9.8epss 0.01

    SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the statut parameter.

  • CVE-2017-14238CriSep 11, 2017
    risk 0.57cvss 9.8epss 0.01

    SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the menuId parameter.

  • CVE-2017-9840HigJun 25, 2017
    risk 0.57cvss 8.8epss 0.01

    Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application.

  • CVE-2017-9435CriJun 5, 2017
    risk 0.57cvss 9.8epss 0.01

    Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters).

  • CVE-2026-23500CriApr 17, 2026
    risk 0.52cvss 9.1epss 0.01

    Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed…

  • CVE-2026-31019HigApr 21, 2026
    risk 0.50cvss 8.8epss 0.01

    In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in…

  • CVE-2026-31018HigApr 21, 2026
    risk 0.50cvss 8.8epss 0.00

    In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs…

  • CVE-2019-25710HigApr 12, 2026
    risk 0.46cvss 8.2epss 0.00

    Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database…

  • CVE-2017-8879MedMay 10, 2017
    risk 0.44cvss 6.8epss 0.00

    Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes it easier for physically proximate attackers to obtain access via an unattended workstation.

  • CVE-2020-36966MedJan 30, 2026
    risk 0.42cvss 6.4epss 0.00

    Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. Attackers can exploit the host, slave, and port parameters in /dolibarr/admin/ldap.php to…

  • CVE-2017-17898HigDec 27, 2017
    risk 0.42cvss 7.5epss 0.02

    Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remote attackers to obtain sensitive information.

  • CVE-2017-14240HigSep 11, 2017
    risk 0.42cvss 7.5epss 0.01

    There is a sensitive information disclosure vulnerability in document.php in Dolibarr ERP/CRM version 6.0.0 via the file parameter.

Page 1 of 5