VYPR

Dolibarr

by Dolibarr

Source repositories

CVEs (90)

  • CVE-2026-37713HigMay 27, 2026
    risk 0.40cvss 7.3epss 0.00

    An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/class/commonobject.class.php.

  • CVE-2026-37712HigMay 27, 2026
    risk 0.40cvss 7.3epss 0.00

    An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/cron/class/cronjob.class.php, call_user_func_array() in function job type

  • CVE-2026-37711HigMay 27, 2026
    risk 0.40cvss 7.3epss 0.00

    An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/actions_addupdatedelete.inc.php

  • CVE-2025-67486HigMay 8, 2026
    risk 0.40cvss 7.2epss 0.01

    Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the…

  • CVE-2026-22666HigApr 7, 2026
    risk 0.40cvss 7.2epss 0.16

    Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator…

  • CVE-2017-7887MedMay 10, 2017
    risk 0.40cvss 6.1epss 0.01

    Dolibarr ERP/CRM 4.0.4 has XSS in doli/societe/list.php via the sall parameter.

  • CVE-2024-40137MedJul 24, 2024
    risk 0.36cvss 5.5epss 0.01

    Dolibarr ERP CRM before 19.0.2-php8.2 was discovered to contain a remote code execution (RCE) vulnerability via the Computed field parameter under the Users Module Setup function.

  • CVE-2026-34036MedMar 31, 2026
    risk 0.35cvss 6.5epss 0.00

    Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc…

  • CVE-2026-11619MedJun 9, 2026
    risk 0.34cvss 6.3epss 0.00

    A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads to improper authorization. It is possible…

  • CVE-2017-17971MedDec 29, 2017
    risk 0.33cvss 6.1epss 0.01

    The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS.

  • CVE-2015-8685MedJan 15, 2016
    risk 0.33cvss 6.1epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) external calendar url or (2) the bank name field in the "import external calendar" page.

  • CVE-2017-14241MedSep 11, 2017
    risk 0.28cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0 allows remote authenticated users to inject arbitrary web script or HTML via the Title parameter to htdocs/admin/menus/edit.php.

  • CVE-2017-14239MedSep 11, 2017
    risk 0.28cvss 5.4epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 6.0.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) CompanyName, (2) CompanyAddress, (3) CompanyZip, (4) CompanyTown, (5) Fax, (6) EMail, (7) Web, (8) ManagingDirectors,…

  • CVE-2016-1912MedJan 15, 2016
    risk 0.28cvss 5.4epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) lastname, (2) firstname, (3) email, (4) job, or (5) signature parameter to htdocs/user/card.php.

  • CVE-2024-34051MedJun 3, 2024
    risk 0.24cvss 4.6epss 0.12

    A Reflected Cross-site scripting (XSS) vulnerability located in htdocs/compta/paiement/card.php of Dolibarr before 19.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the facid parameter.

  • CVE-2026-10215MedJun 1, 2026
    risk 0.21cvss 4.3epss 0.00

    A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The…

  • CVE-2026-10154MedMay 31, 2026
    risk 0.21cvss 4.3epss 0.00

    A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to…

  • CVE-2023-30253May 29, 2023
    risk 0.10cvss epss 0.79

    Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.

  • CVE-2023-38886Sep 20, 2023
    risk 0.04cvss epss 0.32

    An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script.

  • CVE-2014-3992Jul 11, 2014
    risk 0.03cvss epss 0.02

    Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote authenticated users to execute arbitrary SQL commands via the (1) entity parameter in an update action to user/fiche.php or (2) sortorder parameter to user/group/index.php.

Page 2 of 5