Dolibarr erp\/crm
This hub aggregates every CVE we track for Dolibarr erp\/crm, a product in the enterprise software space. Use it to gauge the current risk picture and drill into individual advisories.
107
CVEs tracked
24
Critical
33
High
0
In CISA KEV
Severity distribution
MEDIUM50HIGH33CRITICAL24
Monthly trend
0
0
0
0
1
0
2
0
0
0
0
0
0
0
0
1
0
0
1
2
1
5
2
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Dolibarr erp\/crm.
- CVE-2018-25357Dolibarr ERP CRM 7.0.3 Remote Code Execution via install/step1.php9.8
- CVE-2025-67486Dolibarr has an Authenticated Remote Code Execution via eval() injection in user extrafields7.2
- CVE-2026-31019In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticate...8.8
- CVE-2026-31018In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user rest...8.8
- CVE-2026-23500Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration9.1
- CVE-2019-25710Dolibarr ERP-CRM 8.0.4 SQL Injection via rowid Parameter8.2
- CVE-2026-22666Dolibarr ERP/CRM < 23.0.2 Authenticated RCE via dol_eval_standard()7.2
- CVE-2026-34036Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php6.5
- CVE-2019-25452Dolibarr ERP/CRM 10.0.1 SQL Injection via elemid7.5
- CVE-2019-25450Dolibarr ERP/CRM 10.0.1 SQL Injection via card.php7.5
- CVE-2021-47779Dolibarr ERP-CRM 14.0.2 - Stored Cross-Site Scripting (XSS) / Privilege Escalation5.4
- CVE-2025-56588Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed field parameter.8.8
- CVE-2024-55227A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Tit...9.0
- CVE-2024-55228A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title par...9.0
- CVE-2021-3991Improper Authorization in dolibarr/dolibarr4.3
Product normalization is registry-driven with AI assist and human review. How it works