CVE-2018-25357

CRITICAL 9.8

Dolibarr ERP CRM 7.0.3 Remote Code Execution via install/step1.php

CVSS Score

9.8

EPSS Score

0.2%

EPSS Percentile

36th

Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter.

CWE	CWE-94
Vendor	dolibarr
Product	dolibarr erp crm
Published	May 23, 2026
Last Updated	May 26, 2026

Stay Ahead of the Next One

Get instant alerts for dolibarr dolibarr erp crm

Be the first to know when new critical vulnerabilities affecting dolibarr dolibarr erp crm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Dolibarr / Dolibarr ERP CRM

0 ≤ 7.0.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/44964 dolibarr.org: https://dolibarr.org github.com: https://github.com/Dolibarr/dolibarr vulncheck.com: https://www.vulncheck.com/advisories/dolibarr-erp-crm-remote-code-evaluation-via-install-step1-php

Credits

om3rcitak - https://omercitak.com