Description
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0.
Published: 2026-04-17
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an OS Command Injection flaw in the ODT‑to‑PDF conversion routine of Dolibarr. The code concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command and passes it to exec() without sanitization. This allows an authenticated administrator to inject arbitrary operating‑system commands into the command string, resulting in remote code execution on the web server account when any ODT template is processed.

Affected Systems

Dolibarr ERP/CRM software, all releases older than 23.0.0, is affected. The flaw resides in the odf.php module and impacts administrators who can set the MAIN_ODT_AS_PDF constant, which is used whenever ODT templates are converted to PDF.

Risk and Exploitability

The CVSS score of 9.4 classifies it as Critical. No EPSS data is available and the vulnerability is not listed in CISA’s KEV catalog, suggesting it may not yet be widely exploited. However, the exploit requires only valid administrator credentials and can be triggered during normal template generation, giving attackers immediate remote code execution on the web server. The weakness is categorized as CWE‑78.

Generated by OpenCVE AI on April 18, 2026 at 09:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dolibarr to version 23.0.0 or later
  • Restrict or reset the MAIN_ODT_AS_PDF configuration to a safe value, or disable ODT‑to‑PDF conversions if not needed
  • Limit administrator access and ensure that only trusted personnel can modify configuration settings

Generated by OpenCVE AI on April 18, 2026 at 09:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w5j3-8fcr-h87w Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration
History

Sat, 18 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Dolibarr
Dolibarr dolibarr
Vendors & Products Dolibarr
Dolibarr dolibarr

Fri, 17 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0.
Title Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Dolibarr Dolibarr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-18T03:06:20.406Z

Reserved: 2026-01-13T15:47:41.630Z

Link: CVE-2026-23500

cve-icon Vulnrichment

Updated: 2026-04-18T03:06:16.004Z

cve-icon NVD

Status : Received

Published: 2026-04-17T21:16:31.890

Modified: 2026-04-17T21:16:31.890

Link: CVE-2026-23500

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses