Skip to main content

Dolibarr

27 CVEs product

Monthly

CVE-2026-58376 HIGH POC PATCH This Week

SQL injection in Dolibarr ERP/CRM through version 23.0.3 lets authenticated REST API users exfiltrate arbitrary database contents - including password hashes and API keys - by abusing the sqlfilters parameter on the setup dictionary and multicurrencies list endpoints. The flawed filter only checked for balanced parentheses and rewrote matched triplets, so an appended UNION SELECT placed outside the expected pattern was concatenated into the WHERE clause unmodified. Publicly available exploit code exists and a vendor fix has been committed; the issue is not listed in CISA KEV.

SQLi Information Disclosure PHP Dolibarr
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2021-42220 PHP MEDIUM POC PATCH This Month

A Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 14.0.3 via the ticket creation flow. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Dolibarr
NVD
CVSS 3.1
5.4
EPSS
0.9%
CVE-2021-25957 PHP HIGH PATCH This Week

In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Dolibarr
NVD GitHub
CVSS 3.1
8.8
EPSS
1.1%
CVE-2021-25956 PHP HIGH PATCH This Week

In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Dolibarr Dolibarr Erp Crm
NVD GitHub
CVSS 3.1
7.2
EPSS
0.9%
CVE-2021-25955 PHP CRITICAL PATCH Act Now

In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Privilege Escalation PHP XSS Dolibarr
NVD GitHub
CVSS 3.1
9.0
EPSS
0.9%
CVE-2021-25954 PHP MEDIUM PATCH This Month

In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

PHP Authentication Bypass Dolibarr
NVD GitHub
CVSS 3.1
4.3
EPSS
0.7%
CVE-2020-14209 PHP HIGH POC PATCH THREAT This Week

Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE PHP Dolibarr
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
27.5%
CVE-2020-14201 PHP MEDIUM POC PATCH This Month

Dolibarr CRM before 11.0.5 allows privilege escalation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation PHP Dolibarr
NVD GitHub
CVSS 3.1
6.5
EPSS
1.6%
CVE-2020-14443 PHP HIGH PATCH This Week

A SQL injection vulnerability in accountancy/customer/card.php in Dolibarr 11.0.3 allows remote authenticated users to execute arbitrary SQL commands via the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi PHP Dolibarr
NVD GitHub
CVSS 3.1
8.8
EPSS
1.1%
CVE-2020-13094 PHP MEDIUM POC PATCH This Month

Dolibarr before 11.0.4 allows XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Dolibarr
NVD GitHub
CVSS 3.1
5.4
EPSS
1.1%
CVE-2020-12669 PHP HIGH PATCH This Week

core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass PHP Dolibarr
NVD GitHub
CVSS 3.1
8.8
EPSS
2.0%
CVE-2018-19799 PHP MEDIUM POC This Month

Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexport= XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Dolibarr
NVD Exploit-DB
CVSS 3.0
6.1
EPSS
4.5%
CVE-2018-9019 PHP CRITICAL PATCH Act Now

SQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi PHP Dolibarr Data Integrator
NVD GitHub
CVSS 3.1
9.8
EPSS
4.0%
CVE-2018-10095 PHP MEDIUM POC PATCH THREAT This Month

Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS PHP Dolibarr
NVD GitHub
CVSS 3.0
6.1
EPSS
87.0%
CVE-2018-10094 PHP CRITICAL POC PATCH THREAT Act Now

SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Dolibarr
NVD GitHub Exploit-DB
CVSS 3.0
9.8
EPSS
71.2%
CVE-2018-10092 PHP HIGH POC PATCH This Week

The admin panel in Dolibarr before 7.0.2 might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file uploads. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Dolibarr
NVD GitHub
CVSS 3.0
8.0
EPSS
2.0%
CVE-2017-14242 PHP CRITICAL PATCH Act Now

SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the statut parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi PHP Dolibarr
NVD GitHub
CVSS 3.0
9.8
EPSS
0.3%
CVE-2017-14241 PHP MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0 allows remote authenticated users to inject arbitrary web script or HTML via the Title parameter to htdocs/admin/menus/edit.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP Dolibarr
NVD GitHub
CVSS 3.0
5.4
EPSS
0.1%
CVE-2017-14240 PHP HIGH PATCH This Week

There is a sensitive information disclosure vulnerability in document.php in Dolibarr ERP/CRM version 6.0.0 via the file parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PHP Information Disclosure Dolibarr
NVD GitHub
CVSS 3.0
7.5
EPSS
0.3%
CVE-2017-14239 PHP MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 6.0.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) CompanyName, (2) CompanyAddress, (3). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP Dolibarr
NVD GitHub
CVSS 3.0
5.4
EPSS
0.1%
CVE-2017-14238 PHP CRITICAL PATCH Act Now

SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the menuId parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi PHP Dolibarr
NVD GitHub
CVSS 3.0
9.8
EPSS
0.3%
CVE-2017-9840 PHP HIGH This Week

Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Dolibarr
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2017-9435 PHP CRITICAL PATCH Act Now

Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi PHP Dolibarr
NVD GitHub
CVSS 3.0
9.8
EPSS
0.3%
CVE-2016-1912 PHP MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) lastname, (2) firstname, (3) email,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Dolibarr
NVD GitHub
CVSS 3.0
5.4
EPSS
0.2%
CVE-2015-8685 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) external calendar url or (2) the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Dolibarr
NVD GitHub
CVSS 3.0
6.1
EPSS
0.2%
CVE-2015-3935 PHP MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5 and 3.6 allow remote attackers to inject arbitrary web script or HTML via the Business Search (search_nom) field to (1). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS PHP Dolibarr
NVD GitHub
CVSS 2.0
4.3
EPSS
0.3%
CVE-2014-7137 MEDIUM POC This Month

Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Dolibarr
NVD
CVSS 2.0
6.5
EPSS
0.3%
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

SQL injection in Dolibarr ERP/CRM through version 23.0.3 lets authenticated REST API users exfiltrate arbitrary database contents - including password hashes and API keys - by abusing the sqlfilters parameter on the setup dictionary and multicurrencies list endpoints. The flawed filter only checked for balanced parentheses and rewrote matched triplets, so an appended UNION SELECT placed outside the expected pattern was concatenated into the WHERE clause unmodified. Publicly available exploit code exists and a vendor fix has been committed; the issue is not listed in CISA KEV.

SQLi Information Disclosure PHP +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

A Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 14.0.3 via the ticket creation flow. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Dolibarr
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

In “Dolibarr” application, v2.8.1 to v13.0.2 are vulnerable to account takeover via password reset functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Dolibarr
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Dolibarr Dolibarr Erp Crm
NVD GitHub
EPSS 1% CVSS 9.0
CRITICAL PATCH Act Now

In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Privilege Escalation PHP XSS +1
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

In “Dolibarr” application, 2.8.1 to 13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

PHP Authentication Bypass Dolibarr
NVD GitHub
EPSS 27% CVSS 8.8
HIGH POC PATCH THREAT This Week

Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE PHP +1
NVD GitHub Exploit-DB
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

Dolibarr CRM before 11.0.5 allows privilege escalation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation PHP Dolibarr
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

A SQL injection vulnerability in accountancy/customer/card.php in Dolibarr 11.0.3 allows remote authenticated users to execute arbitrary SQL commands via the id parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi PHP Dolibarr
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Dolibarr before 11.0.4 allows XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Dolibarr
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass PHP Dolibarr
NVD GitHub
EPSS 4% CVSS 6.1
MEDIUM POC This Month

Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexport= XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Dolibarr
NVD Exploit-DB
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

SQL Injection vulnerability in Dolibarr before version 7.0.2 allows remote attackers to execute arbitrary SQL commands via the sortfield parameter to /accountancy/admin/accountmodel.php,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi PHP Dolibarr +1
NVD GitHub
EPSS 87% CVSS 6.1
MEDIUM POC PATCH THREAT This Month

Cross-site scripting (XSS) vulnerability in Dolibarr before 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the foruserlogin parameter to adherents/cartes/carte.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS PHP Dolibarr
NVD GitHub
EPSS 71% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Dolibarr
NVD GitHub Exploit-DB
EPSS 2% CVSS 8.0
HIGH POC PATCH This Week

The admin panel in Dolibarr before 7.0.2 might allow remote attackers to execute arbitrary commands by leveraging support for updating the antivirus command and parameters used to scan file uploads. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Dolibarr
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the statut parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi PHP Dolibarr
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0 allows remote authenticated users to inject arbitrary web script or HTML via the Title parameter to htdocs/admin/menus/edit.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP Dolibarr
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

There is a sensitive information disclosure vulnerability in document.php in Dolibarr ERP/CRM version 6.0.0 via the file parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PHP Information Disclosure Dolibarr
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 6.0.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) CompanyName, (2) CompanyAddress, (3). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP Dolibarr
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CRM version 6.0.0 allows remote attackers to execute arbitrary SQL commands via the menuId parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi PHP Dolibarr
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Dolibarr
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user/index.php (search_supervisor and search_statut parameters). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi PHP Dolibarr
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) lastname, (2) firstname, (3) email,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Dolibarr
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) external calendar url or (2) the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Dolibarr
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5 and 3.6 allow remote attackers to inject arbitrary web script or HTML via the Business Search (search_nom) field to (1). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

XSS PHP Dolibarr
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Dolibarr
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy