Description
Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter.
Published: 2026-05-23
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dolibarr ERP CRM 7.0.3 allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious content into the db_name parameter of the install/step1.php script. A POST request containing the injected PHP triggers execution, and the attacker can then run arbitrary system commands through the check.php endpoint by supplying a cmd GET parameter. This remote code execution compromises the confidentiality, integrity, and availability of the affected server.

Affected Systems

The affected vendor is Dolibarr, specifically the Dolibarr ERP CRM product. Only the 7.0.3 release carries the flaw. No other versions or product lines are known to be impacted according to the available data.

Risk and Exploitability

The reported CVSS score of 9.3 indicates critical severity. The EPSS score is 0.00156 (< 1%), indicating a low probability of exploitation. The vulnerability has not been listed in the CISA KEV catalog, yet the absence of a KEV listing does not reduce the risk. Attackers can gain full control of the affected system by abusing this path.

Generated by OpenCVE AI on May 26, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Dolibarr ERP CRM patch that addresses the remote code execution issue, preferably upgrading beyond version 7.0.3.
  • Remove or rename the install directory (install/step1.php) from the web‑root to prevent further use of the vulnerable script.
  • Configure the web server or application firewall to block all unauthenticated POST requests to install/step1.php or any install‑related endpoints.

Generated by OpenCVE AI on May 26, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Dolibarr ERP CRM 7.0.3 contains a remote code evaluation vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter. Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter.
Title Dolibarr ERP CRM 7.0.3 Remote Code Evaluation via install/step1.php Dolibarr ERP CRM 7.0.3 Remote Code Execution via install/step1.php

Sat, 23 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Dolibarr erp Crm
Vendors & Products Dolibarr erp Crm

Sat, 23 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description Dolibarr ERP CRM 7.0.3 contains a remote code evaluation vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter.
Title Dolibarr ERP CRM 7.0.3 Remote Code Evaluation via install/step1.php
First Time appeared Dolibarr
Dolibarr dolibarr Erp\/crm
Weaknesses CWE-94
CPEs cpe:2.3:a:dolibarr:dolibarr_erp\/crm:*:*:*:*:*:*:*:*
Vendors & Products Dolibarr
Dolibarr dolibarr Erp\/crm
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Dolibarr Dolibarr Erp\/crm Erp Crm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T13:35:57.192Z

Reserved: 2026-05-23T16:27:56.915Z

Link: CVE-2018-25357

cve-icon Vulnrichment

Updated: 2026-05-26T13:35:54.194Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-23T19:16:56.033

Modified: 2026-05-27T15:56:19.693

Link: CVE-2018-25357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T15:45:08Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')