Dolibarr
by Dolibarr
Source repositories
CVEs (90)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2012-10059 | Cri | 0.69 | — | 0.03 | Aug 13, 2025 | Dolibarr ERP/CRM versions <= 3.1.1 and <= 3.2.0 contain a post-authenticated OS command injection vulnerability in its database backup feature. The export.php script fails to sanitize the sql_compat parameter, allowing authenticated users to inject arbitrary system commands,… | ||
| CVE-2018-25357 | Cri | 0.64 | 9.8 | 0.02 | May 23, 2026 | Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the… | ||
| CVE-2017-7888 | Cri | 0.64 | 9.8 | 0.01 | May 10, 2017 | Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier. | ||
| CVE-2017-7886 | Cri | 0.64 | 9.8 | 0.02 | May 10, 2017 | Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css.php via the lang parameter. | ||
| CVE-2025-69634 | Cri | 0.59 | 9.0 | 0.00 | Feb 12, 2026 | Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur if an unprivileged user knows the token… | ||
| CVE-2017-17900 | Cri | 0.57 | 9.8 | 0.02 | Dec 27, 2017 | SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the socid parameter. | ||
| CVE-2017-17899 | Cri | 0.57 | 9.8 | 0.02 | Dec 27, 2017 | SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter. | ||
| CVE-2017-17897 | Cri | 0.57 | 9.8 | 0.02 | Dec 27, 2017 | SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||
| CVE-2017-14242 | Cri | 0.57 | 9.8 | 0.01 | Sep 11, 2017 | SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the statut parameter. | ||
| CVE-2017-14238 | Cri | 0.57 | 9.8 | 0.01 | Sep 11, 2017 | SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the menuId parameter. | ||
| CVE-2017-9840 | Hig | 0.57 | 8.8 | 0.01 | Jun 25, 2017 | Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application. | ||
| CVE-2017-9435 | Cri | 0.57 | 9.8 | 0.01 | Jun 5, 2017 | Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters). | ||
| CVE-2026-23500 | Cri | 0.52 | 9.1 | 0.01 | Apr 17, 2026 | Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed… | ||
| CVE-2026-31019 | Hig | 0.50 | 8.8 | 0.01 | Apr 21, 2026 | In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in… | ||
| CVE-2026-31018 | Hig | 0.50 | 8.8 | 0.00 | Apr 21, 2026 | In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs… | ||
| CVE-2019-25710 | Hig | 0.46 | 8.2 | 0.00 | Apr 12, 2026 | Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database… | ||
| CVE-2017-8879 | Med | 0.44 | 6.8 | 0.00 | May 10, 2017 | Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes it easier for physically proximate attackers to obtain access via an unattended workstation. | ||
| CVE-2020-36966 | Med | 0.42 | 6.4 | 0.00 | Jan 30, 2026 | Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. Attackers can exploit the host, slave, and port parameters in /dolibarr/admin/ldap.php to… | ||
| CVE-2017-17898 | Hig | 0.42 | 7.5 | 0.02 | Dec 27, 2017 | Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remote attackers to obtain sensitive information. | ||
| CVE-2017-14240 | Hig | 0.42 | 7.5 | 0.01 | Sep 11, 2017 | There is a sensitive information disclosure vulnerability in document.php in Dolibarr ERP/CRM version 6.0.0 via the file parameter. |
- risk 0.69cvss —epss 0.03
Dolibarr ERP/CRM versions <= 3.1.1 and <= 3.2.0 contain a post-authenticated OS command injection vulnerability in its database backup feature. The export.php script fails to sanitize the sql_compat parameter, allowing authenticated users to inject arbitrary system commands,…
- risk 0.64cvss 9.8epss 0.02
Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the…
- risk 0.64cvss 9.8epss 0.01
Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier.
- risk 0.64cvss 9.8epss 0.02
Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css.php via the lang parameter.
- risk 0.59cvss 9.0epss 0.00
Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur if an unprivileged user knows the token…
- risk 0.57cvss 9.8epss 0.02
SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the socid parameter.
- risk 0.57cvss 9.8epss 0.02
SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter.
- risk 0.57cvss 9.8epss 0.02
SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.
- risk 0.57cvss 9.8epss 0.01
SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the statut parameter.
- risk 0.57cvss 9.8epss 0.01
SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the menuId parameter.
- risk 0.57cvss 8.8epss 0.01
Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application.
- risk 0.57cvss 9.8epss 0.01
Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters).
- risk 0.52cvss 9.1epss 0.01
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed…
- risk 0.50cvss 8.8epss 0.01
In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in…
- risk 0.50cvss 8.8epss 0.00
In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs…
- risk 0.46cvss 8.2epss 0.00
Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database…
- risk 0.44cvss 6.8epss 0.00
Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes it easier for physically proximate attackers to obtain access via an unattended workstation.
- risk 0.42cvss 6.4epss 0.00
Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. Attackers can exploit the host, slave, and port parameters in /dolibarr/admin/ldap.php to…
- risk 0.42cvss 7.5epss 0.02
Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remote attackers to obtain sensitive information.
- risk 0.42cvss 7.5epss 0.01
There is a sensitive information disclosure vulnerability in document.php in Dolibarr ERP/CRM version 6.0.0 via the file parameter.
Page 1 of 5