SQL Injection Vulnerability in Dolibarr ERP Software
CVE-2026-58376

7.2HIGH

Key Information:

Vendor

Dolibarr

Status
Dolibarr
Vendor
CVE Published:
30 June 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-58376?

Dolibarr ERP software versions up to 23.0.3 are susceptible to an SQL injection vulnerability that enables authenticated users to exfiltrate sensitive database contents. This flaw occurs due to inadequate validation of the sqlfilters query parameter in the setup dictionary and multicurrencies REST API endpoints. Attackers may exploit this vulnerability by injecting malicious input, which the system fails to filter adequately, allowing arbitrary SQL commands to be executed. Consequently, attackers can access sensitive information, including password hashes and API keys, greatly compromising the security of the application.

Affected Version(s)

dolibarr 0 <= 23.0.3

dolibarr 14db36e8486ef725b0d493d97abb2950a54358d3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-58376 - Proof of Concept

References

https://github.com/Dolibarr/dolibarr/issues/38768
exploittechnical-description
https://github.com/Dolibarr/dolibarr/pull/38794
issue-tracking
https://github.com/Dolibarr/dolibarr/commit/14db36e8486ef...
patch

CVSS V4

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.