Description
A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-03
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dolibarr ERP CRM versions up to 23.0.2 contain a SQL injection flaw in the _checkValForAPI function of the Shipments API endpoint. By manipulating the argument fields sent to this API, a remote attacker could inject SQL commands into the backend database. The flaw is based on improper handling of user input, leading to a traditional injection weakness (CWE‑89) and a related input validation issue (CWE‑74). Successful exploitation would allow the attacker to read, modify or delete data in the Dolibarr database, compromising confidentiality, integrity and potentially availability of business data.

Affected Systems

The affected product is Dolibarr ERP CRM, with versions up to 23.0.2 vulnerable to the described SQL injection flaw. No specific patches or remediations were provided by the vendor, and the vendor did not respond to the disclosure.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity overall, and the EPSS score is not available, suggesting limited automation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitability is reported as difficult, yet the vulnerability is publicly available. The likely attack vector is remote, via the exposed Shipments API endpoint, and would require a high level of complexity to craft a successful SQL injection payload. In the absence of an official fix, the risk remains contingent on whether an attacker offloads a suitable payload through the API and exploits the database directly.

Generated by OpenCVE AI on May 3, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Acquire a Dolibarr version newer than 23.0.2 once a vendor patch becomes available.
  • Enforce strict input validation and use parameterized queries or prepared statements for all API arguments to prevent SQL injection.
  • Restrict access to the Shipments API endpoint to authenticated and authorized users only, and monitor API traffic for anomalous query patterns.

Generated by OpenCVE AI on May 3, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 09:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Dolibarr ERP CRM Shipments API Endpoint expedition.class.php _checkValForAPI sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 4.6, 'vector': 'AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-03T09:15:11.998Z

Reserved: 2026-05-02T16:27:22.949Z

Link: CVE-2026-7688

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-03T10:16:17.170

Modified: 2026-05-03T10:16:17.170

Link: CVE-2026-7688

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T10:30:15Z

Weaknesses