CVE-2026-23500
published 2026-04-17CVE-2026-23500: Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF…
PriorityP260critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
EPSS
0.92%
55.8th percentile
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dolibarr | dolibarr | < 23.0.0 | 23.0.0 |
| dolibarr | dolibarr | 0 – 22.0.4 | — |
| dolibarr | dolibarr_erp_crm | < 23.0.0 | 23.0.0 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Dolibarr up to 22.x Software Package odf.php exec os command injection (GHSA-w5j3-8fcr-h87w)
vuldb·2026-04-17·CVSS 9.4
CVE-2026-23500 [CRITICAL] Dolibarr up to 22.x Software Package odf.php exec os command injection (GHSA-w5j3-8fcr-h87w)
A vulnerability labeled as critical has been found in Dolibarr up to 22.x. Affected by this vulnerability is the function exec of the file odf.php of the component Software Package Handler. The manipulation results in os command injection.
This vulnerability is identified as CVE-2026-23500. The attack can be executed remotely. There is not any exploit available.
The affected component should be upgraded.
GHSA
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration
ghsa·2026-04-17
CVE-2026-23500 [CRITICAL] CWE-78 Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration
### Summary
An authenticated administrator can execute arbitrary operating system commands by injecting a malicious payload into the `MAIN_ODT_AS_PDF` configuration constant. This vulnerability exists because the application fails to properly validate or escape the command path before passing it to the `exec()` function in the ODT to PDF conversion process.
### Details
The vulnerability is located in `htdocs/includes/odtphp/odf.php`.
When the system tries to convert an ODT document to PDF (e.g., in Proposals, Invoices), it constructs a shell command using the `MAIN_ODT_AS_PDF` global setting.
Code snippet (`htdocs/includes/odtphp/odf.php`, approx line 930):
```php
$command = getDolGlobalString('MAIN_ODT_AS_PDF').' '.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-17
Published