Description
Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter.
Published: 2026-05-23
Score: 9.3 Critical
EPSS: 1.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dolibarr ERP CRM 7.0.3 contains a flaw that allows an attacker to execute arbitrary PHP code by injecting PHP into the db_name parameter of the install/step1.php script. When a crafted POST request is sent, the payload is evaluated, and the attacker can then use the check.php endpoint with a cmd parameter to run arbitrary system commands. This remote code execution compromises confidentiality, integrity, and availability of the affected server.

Affected Systems

The vulnerability targets the Dolibarr ERP CRM product, specifically version 7.0.3. No other Dolibarr releases or product lines have been confirmed to contain this flaw according to available data.

Risk and Exploitability

The CVSS score is 9.3, indicating critical severity, and the EPSS score of 2% suggests a modest probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, but absence of a KEV listing does not lower the risk. Attackers can exploit the flaw without authentication by sending a crafted POST request to install/step1.php, and subsequently execute commands via check.php.

Generated by OpenCVE AI on June 18, 2026 at 02:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dolibarr ERP CRM to a version that includes the fix (7.0.4 or later).
  • Remove or rename the install directory and delete install/step1.php from the web root to eliminate the vulnerable script.
  • Configure the web server or application firewall to block unauthenticated POST requests to install/step1.php and any other install‑related endpoints.

Generated by OpenCVE AI on June 18, 2026 at 02:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hxmh-2xc4-c894 Dolibarr ERP CRM contains a remote code evaluation vulnerability
History

Tue, 26 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Dolibarr ERP CRM 7.0.3 contains a remote code evaluation vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter. Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter.
Title Dolibarr ERP CRM 7.0.3 Remote Code Evaluation via install/step1.php Dolibarr ERP CRM 7.0.3 Remote Code Execution via install/step1.php

Sat, 23 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Dolibarr erp Crm
Vendors & Products Dolibarr erp Crm

Sat, 23 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description Dolibarr ERP CRM 7.0.3 contains a remote code evaluation vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter.
Title Dolibarr ERP CRM 7.0.3 Remote Code Evaluation via install/step1.php
First Time appeared Dolibarr
Dolibarr dolibarr Erp\/crm
Weaknesses CWE-94
CPEs cpe:2.3:a:dolibarr:dolibarr_erp\/crm:*:*:*:*:*:*:*:*
Vendors & Products Dolibarr
Dolibarr dolibarr Erp\/crm
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Dolibarr Dolibarr Erp\/crm Erp Crm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T13:35:57.192Z

Reserved: 2026-05-23T16:27:56.915Z

Link: CVE-2018-25357

cve-icon Vulnrichment

Updated: 2026-05-26T13:35:54.194Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-23T19:16:56.033

Modified: 2026-06-17T01:55:18.460

Link: CVE-2018-25357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T02:30:15Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')