Plattform
php
Komponente
dolibarr
Behoben in
23.0.1
22.0.5
CVE-2026-23500 describes a Command Injection vulnerability affecting Dolibarr versions 23.0.0 and earlier. An authenticated administrator can exploit this flaw to execute arbitrary operating system commands, potentially leading to system compromise and data breaches. The vulnerability resides in the ODT to PDF conversion process within the htdocs/includes/odtphp/odf.php file. A fix is available in version 23.0.0.
Successful exploitation of CVE-2026-23500 allows an authenticated administrator to execute arbitrary commands on the server hosting the Dolibarr application. This can lead to complete system compromise, data exfiltration, and denial of service. An attacker could potentially install malware, modify system configurations, or access sensitive data stored within the Dolibarr database. The blast radius extends to all data and services managed by the Dolibarr instance, and potentially to other systems accessible from the compromised server.
This vulnerability was published on 2026-04-17. Currently, there are no public exploits or active campaigns targeting this vulnerability. However, the ease of exploitation makes it a high-priority target. Monitor security advisories and threat intelligence feeds for updates.
Organizations using Dolibarr for ERP or CRM functions, particularly those with administrator accounts that have broad permissions, are at risk. Shared hosting environments where multiple users share the same Dolibarr instance are also particularly vulnerable, as a compromised administrator account could impact all users on the server.
• linux / server:
journalctl -u dolibarr | grep -i "exec()"• generic web:
curl -I 'http://your-dolibarr-instance/htdocs/includes/odtphp/odf.php?file=malicious.odt' | grep 'MAIN_ODT_AS_PDF'disclosure
Exploit-Status
EPSS
0.15% (35% Perzentil)
CISA SSVC
The primary mitigation is to upgrade Dolibarr to version 23.0.0 or later. Before upgrading, back up your Dolibarr database and configuration files. If upgrading is not immediately feasible, restrict administrator access to the Dolibarr application. Implement strict input validation on all user-supplied data, particularly within the MAINODTASPDF configuration setting. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests. After upgrading, verify the fix by attempting to inject a command into the MAINODTASPDF setting and confirming that the command is not executed.
Actualice Dolibarr a la versión 23.0.0 o superior para mitigar la vulnerabilidad. Esta versión corrige la inyección de comandos del sistema operativo al sanitizar la entrada del usuario en el proceso de conversión de ODT a PDF.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-23500 is a Command Injection vulnerability in Dolibarr versions 23.0.0 and earlier. An authenticated administrator can execute arbitrary operating system commands, potentially leading to system compromise.
You are affected if you are running Dolibarr versions 23.0.0 or earlier and have an authenticated administrator account.
Upgrade Dolibarr to version 23.0.0 or later. If immediate upgrading is not possible, restrict administrator access to the MAINODTAS_PDF configuration setting.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants immediate attention.
Refer to the official Dolibarr security advisory for detailed information and updates: [https://www.dolibarr.org/security/](https://www.dolibarr.org/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.