CVE-2021-47779

MEDIUM 5.4

Dolibarr ERP-CRM 14.0.2 - Stored Cross-Site Scripting (XSS) / Privilege Escalation

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

Dolibarr ERP-CRM 14.0.2 contains a stored cross-site scripting vulnerability in the ticket creation module that allows low-privilege users to inject malicious scripts. Attackers can craft a specially designed ticket message with embedded JavaScript that triggers when an administrator copies the text, potentially enabling privilege escalation.

CWE	CWE-79
Vendor	dolibarr
Product	crm
Published	Jan 15, 2026
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for dolibarr crm

Be the first to know when new medium vulnerabilities affecting dolibarr crm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

Dolibarr / CRM

14.0.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/50432 dolibarr.org: https://www.dolibarr.org/ github.com: https://github.com/Dolibarr vulncheck.com: https://www.vulncheck.com/advisories/dolibarr-erp-crm-stored-cross-site-scripting-xss-privilege-escalation

Credits

Oscar Gutierrez (m4xp0w3r)