Description
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" field is passed to PHP's `eval()` function without adequate sanitization, allowing authenticated administrators to execute arbitrary PHP code on the server. As of time of publication, no patched versions are available.
Published: 2026-05-08
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dolibarr versions 22.0.2 and earlier allow an authenticated administrator to execute arbitrary PHP code on the server by injecting code into the "computed value" field of user extrafields. The input is directly passed to PHP's eval() function without any sanitization, which classifies the weakness as CWE‑74. The result is that an attacker who has administrative privileges can run any code on the web server, leading to full control of the application, data, and potentially the underlying operating system. The vulnerability is not impacted by network-level exposure; it requires a logged‑in administrator session.

Affected Systems

The affected product is Dolibarr ERP/CRM. All releases up to and including 22.0.2 are impacted. No patched versions are available at the time of this reporting.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.6, indicating high severity. EPSS data are not available, and the vulnerability is not listed in CISA’s KEV catalog, but the lack of a patch means that the risk remains unmitigated. The likely attack vector is via the web interface; an authenticated administrator can reach the user extrafields screen and supply malicious input. Because the code path involves eval, the attack can be carried out with any commensurate input size, making exploitation straightforward for an adversary familiar with Dolibarr administration.

Generated by OpenCVE AI on May 8, 2026 at 15:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dolibarr to a version newer than 22.0.2 once a patch is released.
  • Disable or remove the user extrafields functionality entirely, or block the "computed value" field from accepting user input.
  • Restrict administrator access to the system; ensure that only trusted personnel have privileges to edit extrafields and other high‑privilege functions.

Generated by OpenCVE AI on May 8, 2026 at 15:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Dolibarr
Dolibarr dolibarr
Vendors & Products Dolibarr
Dolibarr dolibarr

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" field is passed to PHP's `eval()` function without adequate sanitization, allowing authenticated administrators to execute arbitrary PHP code on the server. As of time of publication, no patched versions are available.
Title Dolibarr has an Authenticated Remote Code Execution via eval() injection in user extrafields
Weaknesses CWE-74
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Dolibarr Dolibarr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T15:09:50.897Z

Reserved: 2025-12-08T18:02:08.846Z

Link: CVE-2025-67486

cve-icon Vulnrichment

Updated: 2026-05-08T15:00:15.459Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T15:16:35.043

Modified: 2026-05-08T16:02:14.343

Link: CVE-2025-67486

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T16:15:12Z

Weaknesses