Remote Code Execution Vulnerability in Dolibarr ERP Software
CVE-2026-23500

9.4CRITICAL

Key Information:

Vendor: Dolibarr
Status: Dolibarr
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-23500?

Dolibarr, an ERP and CRM software, is susceptible to a serious vulnerability due to improper handling of the ODT to PDF conversion process. In versions prior to 23.0.0, this process directly incorporates the MAIN_ODT_AS_PDF configuration constant into a shell command executed via 'exec()' without appropriate sanitization. This allows an authenticated administrator to inject arbitrary operating system commands using command separators, leading to potential remote code execution under the web server user context anytime an ODT template is generated. To mitigate this risk, users are strongly advised to upgrade to version 23.0.0 or later.

Affected Version(s)

dolibarr < 23.0.0

References

https://github.com/Dolibarr/dolibarr/security/advisories/...

x_refsource_CONFIRM

https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0

x_refsource_MISC

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Jan 13, 2026

CVE-2026-23500 Data

JSON