Dolibarr vulnerabilities

CVE-2026-34036 [MEDIUM] CWE-98 CVE-2026-34036: Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) softwar Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access contro

CVE-2020-36966 [MEDIUM] CWE-79 CVE-2020-36966: Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization set Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. Attackers can exploit the host, slave, and port parameters in /dolibarr/admin/ldap.php to execute arbitrary JavaScript and potentially steal user cookie information.

CVE-2025-56588 [HIGH] CWE-94 Dolibarr vulnerable to RCE via the computed field parameter Dolibarr vulnerable to RCE via the computed field parameter Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed field parameter.

CVE-2021-3991 [MEDIUM] CWE-285 Improper Authorization in dolibarr/dolibarr Improper Authorization in dolibarr/dolibarr An Improper Authorization vulnerability exists in Dolibarr versions prior to version 15.0.0. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions.

CVE-2024-40137 [HIGH] CWE-74 Dolibarr ERP CRM vulnerable to remote code execution (RCE) Dolibarr ERP CRM vulnerable to remote code execution (RCE) Dolibarr ERP CRM before 19.0.2 was discovered to contain a remote code execution (RCE) vulnerability via the Computed field parameter under the Users Module Setup function.

CVE-2024-37821 [HIGH] CWE-434 Dolibarr arbitrary file upload vulnerability Dolibarr arbitrary file upload vulnerability An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file.

CVE-2024-34051 [MEDIUM] CWE-79 Reflected Cross-Site Scripting (XSS) in Dolibarr Reflected Cross-Site Scripting (XSS) in Dolibarr A Reflected Cross-site scripting (XSS) vulnerability located in htdocs/compta/paiement/card.php of Dolibarr before 19.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into the facid parameter.

CVE-2024-5314 [CRITICAL] CWE-89 Dolibarr vulnerable to SQL Injection Dolibarr vulnerable to SQL Injection Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters sortorder y sortfield in /dolibarr/admin/dict.php.

CVE-2024-5315 [CRITICAL] CWE-89 Dolibarr vulnerable to SQL Injection Dolibarr vulnerable to SQL Injection Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters in /dolibarr/commande/list.php.

CVE-2024-31503 [HIGH] CWE-284 Dolibarr vulnerable to Cross-Site Request Forgery Dolibarr vulnerable to Cross-Site Request Forgery Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover.

CVE-2024-29477 [MEDIUM] CWE-94 Dolibarr ERP CRM Code Injection vulnerability during installation Dolibarr ERP CRM Code Injection vulnerability during installation Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the network to execute arbitrary code via a specifically crafted input.

CVE-2024-23817 [MEDIUM] CWE-79 CVE-2024-23817: Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) softwar Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifical

CVE-2023-4197 [HIGH] CWE-20 Dolibarr Improper Input Validation vulnerability Dolibarr Improper Input Validation vulnerability Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

CVE-2023-4198 [MEDIUM] CWE-862 Dolibarr Improper Input Validation vulnerability Dolibarr Improper Input Validation vulnerability Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data

CVE-2023-5842 [MEDIUM] CWE-79 Cross-site Scripting (XSS) in dolibarr/dolibarr Cross-site Scripting (XSS) in dolibarr/dolibarr Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5.

CVE-2023-5323 [MEDIUM] CWE-79 Dolibarr Cross-site Scripting vulnerability Dolibarr Cross-site Scripting vulnerability Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0.0.

CVE-2023-38888 [CRITICAL] CWE-79 Cross Site Scripting vulnerability in Dolibarr ERP CRM Cross Site Scripting vulnerability in Dolibarr ERP CRM Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.

CVE-2023-38887 [HIGH] CWE-434 File Upload vulnerability in Dolibarr ERP CRM File Upload vulnerability in Dolibarr ERP CRM File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions.

CVE-2023-38886 [HIGH] CWE-78 Dolibarr allows a remote privileged attacker to execute arbitrary code via a crafted command/script Dolibarr allows a remote privileged attacker to execute arbitrary code via a crafted command/script An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script.

CVE-2023-33568 [HIGH] CWE-200 Dolibarr vulnerable to unauthenticated database access Dolibarr vulnerable to unauthenticated database access An issue in Dolibarr v16.0.0 to v16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists.