Skip to main content

Dolibarr CVE-2026-58376

| EUVDEUVD-2026-40363 HIGH
SQL Injection (CWE-89)
2026-06-30 VulnCheck GHSA-2852-jv28-2mv8
7.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.6 HIGH

Network REST API, low complexity, but requires a valid API account so PR:L; primarily data exfiltration gives C:H with minor I/A impact from injectable SQL.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Source Code Evidence Fetched
Jun 30, 2026 - 17:32 vuln.today
Analysis Updated
Jun 30, 2026 - 17:32 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 17:32 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 17:22 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 17:22 NVD
7.6 (HIGH) 7.2 (HIGH)
Analysis Generated
Jun 30, 2026 - 17:20 vuln.today

DescriptionCVE.org

Dolibarr through 23.0.3, fixed in commit 14db36e, contains a sql injection vulnerability that allows authenticated API users to exfiltrate arbitrary database contents by supplying malicious values to the sqlfilters query parameter in the setup dictionary and multicurrencies REST API endpoints. The affected endpoints in api_setup.class.php and api_multicurrencies.class.php validate sqlfilters only for balanced parentheses and rewrite matched triplets, allowing text placed outside the expected shape such as an appended UNION SELECT to be concatenated into the SQL WHERE clause unmodified, enabling retrieval of sensitive data including password hashes and API keys.

AnalysisAI

SQL injection in Dolibarr ERP/CRM through version 23.0.3 lets authenticated REST API users exfiltrate arbitrary database contents - including password hashes and API keys - by abusing the sqlfilters parameter on the setup dictionary and multicurrencies list endpoints. The flawed filter only checked for balanced parentheses and rewrote matched triplets, so an appended UNION SELECT placed outside the expected pattern was concatenated into the WHERE clause unmodified. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid low-privilege API credentials
Delivery
Call setup/multicurrencies list endpoint
Exploit
Inject UNION SELECT via sqlfilters parameter
Execution
Bypass parenthesis-only validation
Persist
Concatenate into SQL WHERE clause
Impact
Exfiltrate password hashes and API keys

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Dolibarr REST API account (CVSS PR:L) with access to the vulnerable list endpoints - the setup dictionary endpoints (regions, incoterms, VAT) in api_setup.class.php and the multicurrencies index in api_multicurrencies.class.php - and the ability to supply the 'sqlfilters' query parameter. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L, base 7.2) is internally consistent with the description: network-reachable, low complexity, requires low-level privileges (an authenticated API account), no user interaction, and high confidentiality impact with minor integrity/availability impact - matching a read-oriented data-exfiltration SQLi. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a low-privilege Dolibarr API account (or a compromised integration token) sends a GET request to the multicurrencies or setup-dictionary list endpoint with a sqlfilters value that closes the expected expression and appends a UNION SELECT against the user table. Because validation only checks parenthesis balance, the injected clause is concatenated into the WHERE clause and executed, returning password hashes and API keys in the API response. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the fix from commit 14db36e (https://github.com/Dolibarr/dolibarr/commit/14db36e8486ef725b0d493d97abb2950a54358d3) via PR #38794 (https://github.com/Dolibarr/dolibarr/pull/38794), which routes sqlfilters through forgeSQLFromUniversalSearchCriteria() instead of the weak _checkFilters()/regex rewrite, or upgrade to the next release that incorporates it once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all Dolibarr deployments to identify affected versions and document REST API user accounts and integration configurations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-58376 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy