Dolibarr Erp Crm vulnerabilities

CVE-2026-22666 [HIGH] CWE-95 CVE-2026-22666: Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerabili Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can inject malicious payloads through computed extrafields or ot

CVE-2026-34036 [MEDIUM] CWE-98 CVE-2026-34036: Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) softwar Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access contro

CVE-2019-25450 [HIGH] CWE-89 CVE-2019-25450: Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated att Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database informat

CVE-2019-25452 [HIGH] CWE-89 CVE-2019-25452: Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted POST requests with malicious SQL payloads in the elemid parameter to extract sensitive database information using error-based or time

CVE-2021-47779 [HIGH] CWE-79 CVE-2021-47779: Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the text, potentially enabling privilege escalation.

CVE-2025-56588 [HIGH] CWE-94 CVE-2025-56588: Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed field parameter.

CVE-2024-55228 [CRITICAL] CWE-79 CVE-2024-55228: A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows att A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.

CVE-2024-55227 [CRITICAL] CWE-79 CVE-2024-55227: A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allo A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.

CVE-2021-3991 [MEDIUM] CWE-285 CVE-2021-3991: An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. A An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions.

CVE-2024-37821 [HIGH] CWE-94 CVE-2024-37821: An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19 An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file.

CVE-2024-5314 [CRITICAL] CWE-89 CVE-2024-5314: Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulne Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters sortorder y sortfield in /dolibarr/admin/dict.php.

CVE-2024-5315 [CRITICAL] CWE-89 CVE-2024-5315: Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulne Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote attacker to send a specially crafted SQL query to the system and retrieve all the information stored in the database through the parameters viewstatut in /dolibarr/commande/list.php.

CVE-2024-31503 [HIGH] CWE-352 CVE-2024-31503: Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attack Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted web page, leading to account takeover.

CVE-2024-29477 [HIGH] CWE-94 CVE-2024-29477: Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the network to execute arbitrary code via a specifically crafted input.

CVE-2024-23817 [MEDIUM] CWE-79 CVE-2024-23817: Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) softwar Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifical

CVE-2023-4197 [HIGH] CWE-20 CVE-2023-4197: Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-s Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

CVE-2023-4198 [MEDIUM] CWE-862 CVE-2023-4198: Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data

CVE-2023-5842 [MEDIUM] CWE-79 CVE-2023-5842: Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5. Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.5.

CVE-2023-5323 [MEDIUM] CWE-79 CVE-2023-5323: Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0. Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0.

CVE-2023-38888 [CRITICAL] CWE-79 CVE-2023-38888: Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.