Description
An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/class/commonobject.class.php.
Published: 2026-05-27
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and the alpha release of 24.0.0, within the file htdocs/core/class/commonobject.class.php. It allows a remote attacker to execute arbitrary PHP code by interacting with the affected script, providing a direct path to code execution on the web server.

Affected Systems

Dolibarr ERP/CRM, versions 22.0.0–22.0.4 and 24.0.0-alpha.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity, and the EPSS score of <1% suggests a low probability of exploitation, though the vulnerability is not listed in the CISA KEV catalog. However, the flaw provides remote code execution, a high‑severity avenue that can be exploited via a web request targeting the vulnerable PHP script. Without mitigation, any Dolibarr instance exposed to the web remains at risk for exploitation.

Generated by OpenCVE AI on May 28, 2026 at 18:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dolibarr to a fixed release that addresses CVE-2026-37713 by following the vendor’s advisory or GitHub security notices.
  • If an immediate upgrade is not feasible, restrict external access to the affected directory or the entire Dolibarr application using firewall rules or web server configuration (e.g., .htaccess or httpd.conf) to block unauthenticated requests.
  • Disable potentially dangerous PHP functions such as eval, system, and exec if they are not required, and enforce strict input validation within the commonobject.class.php file to prevent code injection.
  • Monitor application logs for unusual activity that could indicate exploitation attempts and consider adding intrusion detection mechanisms.

Generated by OpenCVE AI on May 28, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 18:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via commonobject.class.php in Dolibarr v22–v24

Thu, 28 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Dolibarr
Dolibarr dolibarr
Vendors & Products Dolibarr
Dolibarr dolibarr

Wed, 27 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via commonobject.class.php in Dolibarr v22–v24
Weaknesses CWE-94

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/class/commonobject.class.php.
References

Subscriptions

Dolibarr Dolibarr
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-28T15:54:56.385Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37713

cve-icon Vulnrichment

Updated: 2026-05-28T15:54:43.355Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T15:16:27.007

Modified: 2026-05-28T17:16:20.993

Link: CVE-2026-37713

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T18:15:23Z

Weaknesses