VYPR

Vendor CVEs

Dolibarr

All CVEs

90 total · sorted by risk
  • CVE-2012-10059CriAug 13, 2025
    risk 0.69cvss epss 0.03

    Dolibarr ERP/CRM versions <= 3.1.1 and <= 3.2.0 contain a post-authenticated OS command injection vulnerability in its database backup feature. The export.php script fails to sanitize the sql_compat parameter, allowing authenticated users to inject arbitrary system commands,…

  • CVE-2018-25357CriMay 23, 2026
    risk 0.64cvss 9.8epss 0.02

    Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the…

  • CVE-2017-7888CriMay 10, 2017
    risk 0.64cvss 9.8epss 0.01

    Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier.

  • CVE-2017-7886CriMay 10, 2017
    risk 0.64cvss 9.8epss 0.02

    Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css.php via the lang parameter.

  • CVE-2025-69634CriFeb 12, 2026
    risk 0.59cvss 9.0epss 0.00

    Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur if an unprivileged user knows the token…

  • CVE-2017-17900CriDec 27, 2017
    risk 0.57cvss 9.8epss 0.02

    SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the socid parameter.

  • CVE-2017-17899CriDec 27, 2017
    risk 0.57cvss 9.8epss 0.02

    SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the rowid parameter.

  • CVE-2017-17897CriDec 27, 2017
    risk 0.57cvss 9.8epss 0.02

    SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.

  • CVE-2017-14242CriSep 11, 2017
    risk 0.57cvss 9.8epss 0.01

    SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the statut parameter.

  • CVE-2017-14238CriSep 11, 2017
    risk 0.57cvss 9.8epss 0.01

    SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the menuId parameter.

  • CVE-2017-9840HigJun 25, 2017
    risk 0.57cvss 8.8epss 0.01

    Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application.

  • CVE-2017-9435CriJun 5, 2017
    risk 0.57cvss 9.8epss 0.01

    Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters).

  • CVE-2026-23500CriApr 17, 2026
    risk 0.52cvss 9.1epss 0.01

    Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed…

  • CVE-2026-31019HigApr 21, 2026
    risk 0.50cvss 8.8epss 0.01

    In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in…

  • CVE-2026-31018HigApr 21, 2026
    risk 0.50cvss 8.8epss 0.00

    In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs…

  • CVE-2019-25710HigApr 12, 2026
    risk 0.46cvss 8.2epss 0.00

    Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database…

  • CVE-2017-8879MedMay 10, 2017
    risk 0.44cvss 6.8epss 0.00

    Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes it easier for physically proximate attackers to obtain access via an unattended workstation.

  • CVE-2020-36966MedJan 30, 2026
    risk 0.42cvss 6.4epss 0.00

    Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. Attackers can exploit the host, slave, and port parameters in /dolibarr/admin/ldap.php to…

  • CVE-2017-17898HigDec 27, 2017
    risk 0.42cvss 7.5epss 0.02

    Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remote attackers to obtain sensitive information.

  • CVE-2017-14240HigSep 11, 2017
    risk 0.42cvss 7.5epss 0.01

    There is a sensitive information disclosure vulnerability in document.php in Dolibarr ERP/CRM version 6.0.0 via the file parameter.

  • CVE-2026-37713HigMay 27, 2026
    risk 0.40cvss 7.3epss 0.00

    An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/class/commonobject.class.php.

  • CVE-2026-37712HigMay 27, 2026
    risk 0.40cvss 7.3epss 0.00

    An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/cron/class/cronjob.class.php, call_user_func_array() in function job type

  • CVE-2026-37711HigMay 27, 2026
    risk 0.40cvss 7.3epss 0.00

    An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/actions_addupdatedelete.inc.php

  • CVE-2025-67486HigMay 8, 2026
    risk 0.40cvss 7.2epss 0.01

    Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the…

  • CVE-2026-22666HigApr 7, 2026
    risk 0.40cvss 7.2epss 0.16

    Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator…

  • CVE-2017-7887MedMay 10, 2017
    risk 0.40cvss 6.1epss 0.01

    Dolibarr ERP/CRM 4.0.4 has XSS in doli/societe/list.php via the sall parameter.

  • CVE-2024-40137MedJul 24, 2024
    risk 0.36cvss 5.5epss 0.01

    Dolibarr ERP CRM before 19.0.2-php8.2 was discovered to contain a remote code execution (RCE) vulnerability via the Computed field parameter under the Users Module Setup function.

  • CVE-2026-34036MedMar 31, 2026
    risk 0.35cvss 6.5epss 0.00

    Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc…

  • CVE-2026-11619MedJun 9, 2026
    risk 0.34cvss 6.3epss 0.00

    A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads to improper authorization. It is possible…

  • CVE-2017-17971MedDec 29, 2017
    risk 0.33cvss 6.1epss 0.01

    The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS.

  • CVE-2015-8685MedJan 15, 2016
    risk 0.33cvss 6.1epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) external calendar url or (2) the bank name field in the "import external calendar" page.

  • CVE-2017-14241MedSep 11, 2017
    risk 0.28cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0 allows remote authenticated users to inject arbitrary web script or HTML via the Title parameter to htdocs/admin/menus/edit.php.

  • CVE-2017-14239MedSep 11, 2017
    risk 0.28cvss 5.4epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 6.0.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) CompanyName, (2) CompanyAddress, (3) CompanyZip, (4) CompanyTown, (5) Fax, (6) EMail, (7) Web, (8) ManagingDirectors,…

  • CVE-2016-1912MedJan 15, 2016
    risk 0.28cvss 5.4epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) lastname, (2) firstname, (3) email, (4) job, or (5) signature parameter to htdocs/user/card.php.

  • CVE-2024-34051MedJun 3, 2024
    risk 0.24cvss 4.6epss 0.12

    A Reflected Cross-site scripting (XSS) vulnerability located in htdocs/compta/paiement/card.php of Dolibarr before 19.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the facid parameter.

  • CVE-2026-10215MedJun 1, 2026
    risk 0.21cvss 4.3epss 0.00

    A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The…

  • CVE-2026-10154MedMay 31, 2026
    risk 0.21cvss 4.3epss 0.00

    A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to…

  • CVE-2023-30253May 29, 2023
    risk 0.10cvss epss 0.79

    Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.

  • CVE-2023-38886Sep 20, 2023
    risk 0.04cvss epss 0.32

    An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script.

  • CVE-2014-3992Jul 11, 2014
    risk 0.03cvss epss 0.02

    Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote authenticated users to execute arbitrary SQL commands via the (1) entity parameter in an update action to user/fiche.php or (2) sortorder parameter to user/group/index.php.

  • CVE-2014-3991Jul 11, 2014
    risk 0.03cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6)…

  • CVE-2012-1225Feb 21, 2012
    risk 0.03cvss epss 0.03

    Multiple SQL injection vulnerabilities in Dolibarr CMS 3.2.0 Alpha and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) memberslist parameter (aka Member List) in list.php or (2) rowid parameter to adherents/fiche.php.

  • CVE-2019-25452Feb 22, 2026
    risk 0.00cvss epss 0.00

    Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted POST requests with malicious SQL payloads in the elemid…

  • CVE-2019-25450Feb 22, 2026
    risk 0.00cvss epss 0.00

    Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and…

  • CVE-2021-47779Jan 15, 2026
    risk 0.00cvss epss 0.00

    Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an…

  • CVE-2024-55228Jan 27, 2025
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.

  • CVE-2024-55227Jan 27, 2025
    risk 0.00cvss epss 0.01

    A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.

  • CVE-2021-3991Nov 15, 2024
    risk 0.00cvss epss 0.00

    An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions.

  • CVE-2024-31503Apr 16, 2024
    risk 0.00cvss epss 0.00

    Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover.

  • CVE-2024-29477Apr 3, 2024
    risk 0.00cvss epss 0.01

    Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the network to execute arbitrary code via a specifically crafted input.

Page 1 of 2