Description
An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/cron/class/cronjob.class.php, call_user_func_array() in function job type
Published: 2026-05-27
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An insecure use of call_user_func_array inside Dolibarr’s cronjob handler allows a remote attacker to execute arbitrary PHP code when a cron job is triggered. The flaw resides in htdocs/cron/class/cronjob.class.php and permits injection of arbitrary function calls with user-supplied arguments, resulting in complete compromise of the affected system.

Affected Systems

Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and the 24.0.0‑alpha release are susceptible. The vulnerability exists within the core cronjob module of the product, which is normally accessed via web requests or scheduled cron triggers.

Risk and Exploitability

The CVSS score and EPSS are not disclosed, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, because the flaw permits arbitrary code execution from a remote request, the risk is considered high. An attacker would need to exploit an exposed cron job endpoint or invoke the cron scheduler, suggesting a remote attack vector that can be accessed over the network if the application is reachable. No specific exploitation prerequisites are stated in the description, implying that a public-facing instance of Dolibarr could be vulnerable if it accepts cron job requests from untrusted sources.

Generated by OpenCVE AI on May 27, 2026 at 20:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dolibarr to version 22.0.5 or later, or to the latest stable release that includes the cronjob fix.
  • If an immediate upgrade is not possible, edit htdocs/cron/class/cronjob.class.php to remove the call_user_func_array usage and restrict function execution to a vetted whitelist.
  • Limit public access to the cron job interface by implementing IP whitelisting or other access controls so that only authorized internal users can trigger cron jobs.

Generated by OpenCVE AI on May 27, 2026 at 20:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Dolibarr
Dolibarr dolibarr
Vendors & Products Dolibarr
Dolibarr dolibarr

Wed, 27 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Arbitrary Code Execution in Dolibarr ERP/CRM Through Unvalidated Dynamic Function Calls
Weaknesses CWE-94

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/cron/class/cronjob.class.php, call_user_func_array() in function job type
References

Subscriptions

Dolibarr Dolibarr
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-28T15:56:17.176Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37712

cve-icon Vulnrichment

Updated: 2026-05-28T15:56:11.774Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T15:16:26.887

Modified: 2026-05-28T17:16:20.823

Link: CVE-2026-37712

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T04:15:06Z

Weaknesses