CVE-2026-23500

UNKNOWN 0.0

Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0.

CWE	CWE-78
Vendor	dolibarr
Product	dolibarr
Published	Apr 17, 2026

Stay Ahead of the Next One

Get instant alerts for dolibarr dolibarr

Be the first to know when new unknown vulnerabilities affecting dolibarr dolibarr are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Dolibarr / dolibarr

< 23.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w github.com: https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0