Primary

Context

Dolibarr ERP & CRM Remote Code Execution Vulnerability in User Module

Vulnerability

A remote code execution vulnerability has been identified in Dolibarr ERP & CRM version 21.0.1. The issue arises in the User module's configuration of computed fields, where improperly handled expressions can be exploited to execute server-side code. This vulnerability allows authenticated administrators to create or modify computed fields that, when evaluated during page rendering, bypass previous security fixes and execute malicious code on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server.

Remediation

Users can apply the patch available in the Dolibarr GitHub repository, specifically in the commit linked in the references.

Added: Oct 1, 2025, 8:28 PM

Updated: Oct 1, 2025, 8:28 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

10.0

exploitability

6.1

remediation

7.7

relevance

0.6

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

10.0

exploitability

6.1

remediation

7.7

relevance

0.6

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Dolibarr ERP & CRM Remote Code Execution Vulnerability in User Module

Vulnerability

Impact

Remediation

Affected Products

Dolibarr ERP & CRM

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating