Platform
php
Component
dolibarr
Fixed in
23.0.1
22.0.5
CVE-2026-23500 describes a Command Injection vulnerability affecting Dolibarr versions 23.0.0 and earlier. An authenticated administrator can exploit this flaw to execute arbitrary operating system commands, potentially leading to system compromise and data breaches. The vulnerability resides in the ODT to PDF conversion process within the htdocs/includes/odtphp/odf.php file. A fix is available in version 23.0.0.
Successful exploitation of CVE-2026-23500 allows an authenticated administrator to execute arbitrary commands on the server hosting Dolibarr. This grants the attacker complete control over the system, enabling them to read, modify, or delete sensitive data, install malware, or pivot to other systems on the network. The impact is particularly severe as it requires only authentication as an administrator, a privilege often held by key personnel. The ability to execute arbitrary commands bypasses standard security controls and can lead to a complete system takeover. The vulnerability's location within the ODT to PDF conversion process means that malicious ODT files could be crafted to trigger the command injection.
CVE-2026-23500 was publicly disclosed on 2026-04-17. Currently, there are no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. Given the ease of exploitation (requiring only administrator authentication) and the potential for significant impact, it is recommended to prioritize remediation.
Exploit Status
EPSS
0.15% (35% percentile)
CISA SSVC
The primary mitigation for CVE-2026-23500 is to upgrade Dolibarr to version 23.0.0 or later, which contains the fix. If immediate upgrading is not possible, consider restricting administrator access to the MAINODTASPDF configuration setting. While not a complete solution, this can limit the potential attack surface. Review and audit all ODT files uploaded to the system for suspicious content. Implement a Web Application Firewall (WAF) with rules to detect and block attempts to inject commands into the MAINODTASPDF parameter. Monitor Dolibarr logs for unusual command execution activity.
Update Dolibarr to version 23.0.0 or higher to mitigate the vulnerability. This version corrects the operating system command injection by sanitizing user input in the ODT to PDF conversion process.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23500 is a Command Injection vulnerability in Dolibarr versions 23.0.0 and earlier. An authenticated administrator can execute arbitrary operating system commands, potentially leading to system compromise.
You are affected if you are running Dolibarr versions 23.0.0 or earlier and have an authenticated administrator account.
Upgrade Dolibarr to version 23.0.0 or later. If immediate upgrading is not possible, restrict administrator access to the MAINODTAS_PDF configuration setting.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants immediate attention.
Refer to the official Dolibarr security advisory for detailed information and updates: [https://www.dolibarr.org/security/](https://www.dolibarr.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.