Which versions of PHP are affected by CVE-2026-23500?

Dolibarr ERP/CRM versions before 23.0.0 contain a critical command injection vulnerability in PDF template conversion that allows authenticated administrators to execute arbitrary system commands…. A patch is available.

How to fix or mitigate CVE-2026-23500?

Within 24 hours: Identify all Dolibarr instances and document current versions. Within 7 days: Upgrade all Dolibarr ERP/CRM deployments to version 23.0.0 or later. Within 30 days: Conduct access review of administrative accounts and implement principle of least privilege for administrator roles; enable audit logging for template conversion operations.

PHP CVE-2026-23500

Q: What is the CVSS score of CVE-2026-23500?

CVE-2026-23500 has a CVSS 4.0 base score of 9.4 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

EUVD-2026-23502 CRITICAL

OS Command Injection (CWE-78)

2026-04-17 GitHub_M

GHSA-w5j3-8fcr-h87w

PHP RCE Command Injection

9.4

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Patch released

May 01, 2026 - 18:28 nvd

Patch available

Re-analysis Queued

Apr 20, 2026 - 19:07 vuln.today

cvss_changed

Analysis Generated

Apr 17, 2026 - 23:48 vuln.today

Patch available

Apr 17, 2026 - 21:16 EUVD

EUVD ID Assigned

Apr 17, 2026 - 20:45 euvd

EUVD-2026-23502

Analysis Generated

Apr 17, 2026 - 20:45 vuln.today

CVE Published

Apr 17, 2026 - 20:25 nvd

CRITICAL 9.4

DescriptionNVD

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0.

AnalysisAI

Command injection in Dolibarr ERP/CRM versions before 23.0.0 allows authenticated administrators to execute arbitrary operating system commands during ODT-to-PDF template conversion. The vulnerability stems from unsanitized concatenation of the MAIN_ODT_AS_PDF configuration constant into shell commands in odf.php. …

RemediationAI

Within 24 hours: Identify all Dolibarr instances and document current versions. Within 7 days: Upgrade all Dolibarr ERP/CRM deployments to version 23.0.0 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-23500 vulnerability details – vuln.today

Back

PHP CVE-2026-23500

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

PHP CVE-2026-23500

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code