CVE-2025-67486

UNKNOWN 0.0

Dolibarr has an Authenticated Remote Code Execution via eval() injection in user extrafields

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" field is passed to PHP's `eval()` function without adequate sanitization, allowing authenticated administrators to execute arbitrary PHP code on the server. As of time of publication, no patched versions are available.

CWE	CWE-74
Vendor	dolibarr
Product	dolibarr
Published	May 8, 2026
Last Updated	May 8, 2026

Stay Ahead of the Next One

Get instant alerts for dolibarr dolibarr

Be the first to know when new unknown vulnerabilities affecting dolibarr dolibarr are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Dolibarr / dolibarr

<= 22.0.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

medium.com: https://medium.com/@abduxalilovjavohir/dolibarr-erp-authenticated-remote-code-execution-via-eval-injection-in-user-extrafields-dfc305d0118e github.com: https://github.com/Dolibarr/dolibarr/blob/22.0.2/htdocs/core/lib/functions.lib.php