Description
Dolibarr ERP CRM 7.0.3 contains a remote code evaluation vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter.
Published: 2026-05-23
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dolibarr ERP CRM version 7.0.3 contains a vulnerability that allows an attacker to execute arbitrary PHP code without authentication. The flaw is triggered by sending a specially crafted POST request to the install/step1.php script with malicious content in the db_name parameter. The injected PHP is later executed when the attacker accesses the check.php endpoint with a cmd parameter that triggers the evaluation of the injected code. This enables the attacker to run any system command on the host, compromising confidentiality, integrity, and availability of the entire server.

Affected Systems

The affected vendor is Dolibarr, specifically the Dolibarr ERP CRM product. Only the 7.0.3 release carries the flaw. No other versions or product lines are known to be impacted according to the available data.

Risk and Exploitability

The reported CVSS score of 9.3 indicates critical severity. No EPSS score is available, but the vulnerability is remote, unauthenticated, and exploitable via a simple HTTP request, implying a high likelihood of exploitation. The vulnerability has not been listed in the CISA KEV catalog, yet the absence of a KEV listing does not reduce the risk. Attackers can gain full control of the affected system by abusing this path.

Generated by OpenCVE AI on May 23, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Dolibarr ERP CRM patch that addresses the remote code execution issue, preferably upgrading beyond version 7.0.3.
  • Remove or rename the install directory (install/step1.php) from the web‑root to prevent further use of the vulnerable script.
  • Configure the web server or application firewall to block all unauthenticated POST requests to install/step1.php or any install-related endpoints.

Generated by OpenCVE AI on May 23, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Dolibarr erp Crm
Vendors & Products Dolibarr erp Crm

Sat, 23 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description Dolibarr ERP CRM 7.0.3 contains a remote code evaluation vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter.
Title Dolibarr ERP CRM 7.0.3 Remote Code Evaluation via install/step1.php
First Time appeared Dolibarr
Dolibarr dolibarr Erp\/crm
Weaknesses CWE-94
CPEs cpe:2.3:a:dolibarr:dolibarr_erp\/crm:*:*:*:*:*:*:*:*
Vendors & Products Dolibarr
Dolibarr dolibarr Erp\/crm
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Dolibarr Dolibarr Erp\/crm Erp Crm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-23T18:32:14.169Z

Reserved: 2026-05-23T16:27:56.915Z

Link: CVE-2018-25357

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T19:30:25Z

Weaknesses