Dolibarr
by Dolibarr
Source repositories
CVEs (90)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-37713 | Hig | 0.40 | 7.3 | 0.00 | May 27, 2026 | An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/class/commonobject.class.php. | ||
| CVE-2026-37712 | Hig | 0.40 | 7.3 | 0.00 | May 27, 2026 | An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/cron/class/cronjob.class.php, call_user_func_array() in function job type | ||
| CVE-2026-37711 | Hig | 0.40 | 7.3 | 0.00 | May 27, 2026 | An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/actions_addupdatedelete.inc.php | ||
| CVE-2025-67486 | Hig | 0.40 | 7.2 | 0.01 | May 8, 2026 | Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the… | ||
| CVE-2026-22666 | Hig | 0.40 | 7.2 | 0.16 | Apr 7, 2026 | Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator… | ||
| CVE-2017-7887 | Med | 0.40 | 6.1 | 0.01 | May 10, 2017 | Dolibarr ERP/CRM 4.0.4 has XSS in doli/societe/list.php via the sall parameter. | ||
| CVE-2024-40137 | Med | 0.36 | 5.5 | 0.01 | Jul 24, 2024 | Dolibarr ERP CRM before 19.0.2-php8.2 was discovered to contain a remote code execution (RCE) vulnerability via the Computed field parameter under the Users Module Setup function. | ||
| CVE-2026-34036 | Med | 0.35 | 6.5 | 0.00 | Mar 31, 2026 | Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc… | ||
| CVE-2026-11619 | Med | 0.34 | 6.3 | 0.00 | Jun 9, 2026 | A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads to improper authorization. It is possible… | ||
| CVE-2017-17971 | Med | 0.33 | 6.1 | 0.01 | Dec 29, 2017 | The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS. | ||
| CVE-2015-8685 | Med | 0.33 | 6.1 | 0.02 | Jan 15, 2016 | Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) external calendar url or (2) the bank name field in the "import external calendar" page. | ||
| CVE-2017-14241 | Med | 0.28 | 5.4 | 0.01 | Sep 11, 2017 | Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0 allows remote authenticated users to inject arbitrary web script or HTML via the Title parameter to htdocs/admin/menus/edit.php. | ||
| CVE-2017-14239 | Med | 0.28 | 5.4 | 0.01 | Sep 11, 2017 | Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 6.0.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) CompanyName, (2) CompanyAddress, (3) CompanyZip, (4) CompanyTown, (5) Fax, (6) EMail, (7) Web, (8) ManagingDirectors,… | ||
| CVE-2016-1912 | Med | 0.28 | 5.4 | 0.01 | Jan 15, 2016 | Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) lastname, (2) firstname, (3) email, (4) job, or (5) signature parameter to htdocs/user/card.php. | ||
| CVE-2024-34051 | Med | 0.24 | 4.6 | 0.12 | Jun 3, 2024 | A Reflected Cross-site scripting (XSS) vulnerability located in htdocs/compta/paiement/card.php of Dolibarr before 19.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the facid parameter. | ||
| CVE-2026-10215 | Med | 0.21 | 4.3 | 0.00 | Jun 1, 2026 | A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The… | ||
| CVE-2026-10154 | Med | 0.21 | 4.3 | 0.00 | May 31, 2026 | A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to… | ||
| CVE-2023-30253 | 0.10 | — | 0.79 | May 29, 2023 | Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data. | |||
| CVE-2023-38886 | 0.04 | — | 0.32 | Sep 20, 2023 | An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script. | |||
| CVE-2014-3992 | 0.03 | — | 0.02 | Jul 11, 2014 | Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote authenticated users to execute arbitrary SQL commands via the (1) entity parameter in an update action to user/fiche.php or (2) sortorder parameter to user/group/index.php. |
- risk 0.40cvss 7.3epss 0.00
An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/class/commonobject.class.php.
- risk 0.40cvss 7.3epss 0.00
An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/cron/class/cronjob.class.php, call_user_func_array() in function job type
- risk 0.40cvss 7.3epss 0.00
An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/actions_addupdatedelete.inc.php
- risk 0.40cvss 7.2epss 0.01
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the…
- risk 0.40cvss 7.2epss 0.16
Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator…
- risk 0.40cvss 6.1epss 0.01
Dolibarr ERP/CRM 4.0.4 has XSS in doli/societe/list.php via the sall parameter.
- risk 0.36cvss 5.5epss 0.01
Dolibarr ERP CRM before 19.0.2-php8.2 was discovered to contain a remote code execution (RCE) vulnerability via the Computed field parameter under the Users Module Setup function.
- risk 0.35cvss 6.5epss 0.00
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc…
- risk 0.34cvss 6.3epss 0.00
A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads to improper authorization. It is possible…
- risk 0.33cvss 6.1epss 0.01
The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS.
- risk 0.33cvss 6.1epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) external calendar url or (2) the bank name field in the "import external calendar" page.
- risk 0.28cvss 5.4epss 0.01
Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0 allows remote authenticated users to inject arbitrary web script or HTML via the Title parameter to htdocs/admin/menus/edit.php.
- risk 0.28cvss 5.4epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 6.0.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) CompanyName, (2) CompanyAddress, (3) CompanyZip, (4) CompanyTown, (5) Fax, (6) EMail, (7) Web, (8) ManagingDirectors,…
- risk 0.28cvss 5.4epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) lastname, (2) firstname, (3) email, (4) job, or (5) signature parameter to htdocs/user/card.php.
- risk 0.24cvss 4.6epss 0.12
A Reflected Cross-site scripting (XSS) vulnerability located in htdocs/compta/paiement/card.php of Dolibarr before 19.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the facid parameter.
- risk 0.21cvss 4.3epss 0.00
A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The…
- risk 0.21cvss 4.3epss 0.00
A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to…
- CVE-2023-30253May 29, 2023risk 0.10cvss —epss 0.79
Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.
- CVE-2023-38886Sep 20, 2023risk 0.04cvss —epss 0.32
An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script.
- CVE-2014-3992Jul 11, 2014risk 0.03cvss —epss 0.02
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote authenticated users to execute arbitrary SQL commands via the (1) entity parameter in an update action to user/fiche.php or (2) sortorder parameter to user/group/index.php.
Page 2 of 5