Dolibarr ERP/CRM CVE-2026-37712
HIGHCVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionNVD
An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/cron/class/cronjob.class.php, call_user_func_array() in function job type
AnalysisAI
Remote code execution in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha stems from unsafe use of PHP's call_user_func_array() within the cron job class, enabling attackers to execute arbitrary PHP code on the application server. The vulnerability carries CVSS 7.3 with CWE-94 (Code Injection) classification, and while no public exploit is identified at time of analysis, a security researcher writeup referenced from NVD discusses a five-year history of related dol_eval issues in Dolibarr suggesting recurring weaknesses in this code area. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: inventory all systems running Dolibarr versions 22.0.0-22.0.4 or 24.0.0-alpha and identify those accessible from untrusted networks. Within 7 days: disable cron job execution if operationally feasible, or restrict execution to authenticated scheduled maintenance windows only; begin compatibility assessment for upgrade to a stable Dolibarr release outside the vulnerable version ranges. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today