Dolibarr ERP & CRM Website Module Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability has been identified in the Website module of Dolibarr ERP & CRM versions through 22.0.4. The issue arises because the application employs a blacklist-based filtering approach to block dangerous PHP functions that could execute system commands. However, an authenticated user with permission to edit PHP content can bypass this filtering. This exploitation allows for the execution of arbitrary operating system commands on the server.

Impact

Exploitation of this vulnerability leads to remote code execution on the server, allowing for arbitrary command execution. This could result in a full compromise of the web application, unauthorized access to sensitive data, and potential modification or deletion of data.

Added: Apr 21, 2026, 4:15 PM

Updated: Apr 21, 2026, 4:15 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

10.0

exploitability

5.2

remediation

0.0

relevance

6.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

10.0

exploitability

5.2

remediation

0.0

relevance

6.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Dolibarr ERP & CRM Website Module Remote Code Execution Vulnerability

Vulnerability

Impact

Affected Products

Dolibarr ERP & CRM

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating