SQL Injection Vulnerability in Dolibarr ERP CRM Shipments API Endpoint
CVE-2026-7688

2.3LOW

Key Information:

Vendor

Dolibarr

Status
Erp Crm
Vendor
CVE Published:
3 May 2026

What is CVE-2026-7688?

A significant security vulnerability has been found in Dolibarr ERP CRM up to version 23.0.2, specifically affecting the _checkValForAPI function in the Shipments API Endpoint. This vulnerability allows for SQL injection through manipulation of input arguments. Attackers can exploit this remotely, although the complexity of the attack is notable. Despite prior disclosure attempts, the vendor has remained unresponsive. The public availability of exploit code heightens the urgency for users to apply mitigations.

Affected Version(s)

ERP CRM 23.0.0

ERP CRM 23.0.1

ERP CRM 23.0.2

References

https://vuldb.com/vuln/360858
vdb-entrytechnical-description
https://vuldb.com/vuln/360858/cti
signaturepermissions-required
https://vuldb.com/submit/799337
third-party-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chris Oakley
chris00 (VulDB User)
chris00 (VulDB User)
VulDB CNA Team
.