Dolibarr ERP/CRM CVE-2026-37713
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/class/commonobject.class.php.
AnalysisAI
Remote code execution in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha allows network-based attackers to execute arbitrary PHP code via the commonobject.class.php component. The CVSS 7.3 (AV:N/AC:L/PR:N/UI:N) vector indicates no authentication or user interaction is required, though impact metrics are rated Low across CIA. No public exploit identified at time of analysis, and EPSS scoring is very low at 0.06% (18th percentile) despite the unauthenticated network attack surface.
Technical ContextAI
Dolibarr is a popular open-source PHP-based ERP/CRM platform used by small and mid-sized businesses for accounting, inventory, CRM, and HR functionality. The flaw resides in htdocs/core/class/commonobject.class.php, a core class shared across most Dolibarr modules for object lifecycle handling. CWE-94 (Improper Control of Generation of Code, 'Code Injection') indicates user-controlled input flows into a PHP code evaluation construct - likely an eval(), create_function(), or template-evaluation path - without sufficient sanitization. The referenced research blog 'dol_eval-five-years' suggests this is the latest in a long-standing class of eval-related issues in Dolibarr's expression evaluation helpers.
Affected ProductsAI
Dolibarr ERP/CRM stable releases 22.0.0, 22.0.1, 22.0.2, 22.0.3, and 22.0.4 are affected, along with the pre-release 24.0.0-alpha branch. The vulnerable code is located in htdocs/core/class/commonobject.class.php. Vendor advisory is published at https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-cq92-jp5j-rwvj. No CPE strings were provided in the source data.
RemediationAI
Patch availability should be confirmed via the vendor GitHub Security Advisory at https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-cq92-jp5j-rwvj; upgrade to the latest fixed Dolibarr 22.0.x release published after 22.0.4 (released patched version not independently confirmed from the provided data). If immediate upgrade is not possible, restrict network exposure of the Dolibarr web interface by placing it behind a VPN or IP-allowlisted reverse proxy, and enable application-layer authentication enforcement at the proxy to ensure no unauthenticated request can reach commonobject.class.php code paths - the trade-off is loss of public-facing customer/partner access. Review web server logs for anomalous POST requests touching object-handling endpoints and consider WAF rules blocking PHP function names (eval, system, exec, passthru) in request parameters, accepting the false-positive risk on legitimate business data containing those strings. Background research at https://bryamzxz.github.io/2026/05/25/dol_eval-five-years/ provides context on the recurring eval-injection pattern in Dolibarr.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today