Dolibarr

This hub aggregates every CVE we track for Dolibarr, a product in the enterprise software space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Dolibarr.

• CVE-2025-67486Dolibarr has an Authenticated Remote Code Execution via eval() injection in user extrafields7.2May 8, 2026
• CVE-2026-23500Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration9.1Apr 17, 2026
• CVE-2026-34036Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php6.5Mar 31, 2026
• CVE-2020-36966Dolibarr 11.0.3 - 'ldap.php' - Persistent Cross-Site Scripting6.4Jan 30, 2026
• CVE-2024-55227A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Tit...9.0Jan 27, 2025
• CVE-2024-55228A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title par...9.0Jan 27, 2025
• CVE-2024-23817Dolibarr Application Home Page HTML injection vulnerability7.1Jan 25, 2024
• CVE-2021-42220A Cross Site Scripting (XSS) vulnerability exists in Dolibarr before 14.0.3 via the ticket creation flow. Exploitation requires that an admin copies the payload into a box.5.4Dec 15, 2021
• CVE-2021-25956Improper User Access Control in "Dolibarr" Leads to Account Takeover4.7Aug 17, 2021
• CVE-2021-25957Account Takeover in "Dolibarr" via Password Reset Functionality8.8Aug 17, 2021
• CVE-2021-25955Stored XSS in “Dolibarr” leads to privilege escalation9.0Aug 15, 2021
• CVE-2021-25954Improper Access Control in “Dolibarr”4.3Aug 9, 2021
• CVE-2020-14209Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htacces...8.8Sep 2, 2020
• CVE-2020-14201Dolibarr CRM before 11.0.5 allows privilege escalation. This could allow remote authenticated attackers to upload arbitrary files via societe/document.php in which "disabled" is changed to "enabled...6.5Aug 21, 2020
• CVE-2020-14443A SQL injection vulnerability in accountancy/customer/card.php in Dolibarr 11.0.3 allows remote authenticated users to execute arbitrary SQL commands via the id parameter.8.8Jun 18, 2020