Dolibarr Dolibarr Erp/crm — known CVE vulnerabilities
Every CVE whose affected-product data names Dolibarr Dolibarr Erp/crm, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (107)
CVE-2018-13447 — CVSS 9.8 (critical): SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands…
CVE-2018-13448 — CVSS 9.8 (critical): SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands…
CVE-2018-13449 — CVSS 9.8 (critical): SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands…
CVE-2021-33816 — CVSS 9.8 (critical): The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which…
CVE-2020-7995 — CVSS 9.8 (critical): The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts.
CVE-2017-7888 — CVSS 9.8 (critical): Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier.
CVE-2018-25357 — CVSS 9.8 (critical): Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by…
CVE-2018-13450 — CVSS 9.8 (critical): SQL injection vulnerability in product/card.php in Dolibarr ERP/CRM version 7.0.3 allows remote attackers to execute arbitrary SQL commands…
CVE-2013-2091 — CVSS 9.8 (critical): SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in…
CVE-2013-2093 — CVSS 9.8 (critical): Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute…
CVE-2022-43138 — CVSS 9.8 (critical): Dolibarr Open Source ERP & CRM for Business before v14.0.1 allows attackers to escalate privileges via a crafted API.
CVE-2022-4093 — CVSS 9.8 (critical): SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user…
CVE-2017-17897 — CVSS 9.8 (critical): SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL…
CVE-2022-40871 — CVSS 9.8 (critical): Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of…
CVE-2017-17899 — CVSS 9.8 (critical): SQL injection vulnerability in adherents/subscription/info.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute…
CVE-2017-17900 — CVSS 9.8 (critical): SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute arbitrary SQL commands…
CVE-2023-38888 — CVSS 9.6 (critical): Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and…
CVE-2024-5315 — CVSS 9.1 (critical): Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote…
CVE-2026-23500 — CVSS 9.1 (critical): Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0…
CVE-2024-5314 — CVSS 9.1 (critical): Vulnerabilities in Dolibarr ERP - CRM that affect version 9.0.1 and allow SQL injection. These vulnerabilities could allow a remote…
CVE-2024-55227 — CVSS 9.0 (critical): A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web…
CVE-2024-55228 — CVSS 9.0 (critical): A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts…
CVE-2024-29477 — CVSS 8.8 (high): Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the…
CVE-2017-18260 — CVSS 8.8 (high): Dolibarr ERP/CRM is affected by multiple SQL injection vulnerabilities in versions through 7.0.0 via comm/propal/list.php (viewstatut…
CVE-2017-9839 — CVSS 8.8 (high): Dolibarr ERP/CRM is affected by SQL injection in versions before 5.0.4 via product/stats/card.php (type parameter).
CVE-2018-19994 — CVSS 8.8 (high): An error-based SQL injection vulnerability in product/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute…
CVE-2018-19998 — CVSS 8.8 (high): SQL injection vulnerability in user/card.php in Dolibarr version 8.0.2 allows remote authenticated users to execute arbitrary SQL commands…
CVE-2019-1010054 — CVSS 8.8 (high): Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable…
CVE-2019-11200 — CVSS 8.8 (high): Dolibarr ERP/CRM 9.0.1 provides a web-based functionality that backs up the database content to a dump file. However, the application…
CVE-2020-11825 — CVSS 8.8 (high): In Dolibarr 10.0.6, forms are protected with a CSRF token against CSRF attacks. The problem is any CSRF token in any user's session can be…
CVE-2021-36625 — CVSS 8.8 (high): An SQL Injection vulnerability exists in Dolibarr ERP/CRM 13.0.2 (fixed version is 14.0.0) via a POST request to the country_id parameter…
CVE-2023-30253 — CVSS 8.8 (high): Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in…
CVE-2023-38887 — CVSS 8.8 (high): File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive…
CVE-2024-37821 — CVSS 8.8 (high): An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute…
CVE-2025-56588 — CVSS 8.8 (high): Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the…
CVE-2026-31018 — CVSS 8.8 (high): In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to…
CVE-2026-31019 — CVSS 8.8 (high): In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP…
CVE-2019-25710 — CVSS 8.2 (high): Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers…
CVE-2019-11201 — CVSS 8.0 (high): Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was…
CVE-2019-15062 — CVSS 8.0 (high): An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an IFRAME element (containing a user/card.php CSRF request) in his…
CVE-2019-25452 — CVSS 7.5 (high): Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows…
CVE-2023-33568 — CVSS 7.5 (high): An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer…
CVE-2021-37517 — CVSS 7.5 (high): An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the…
CVE-2012-1225 — CVSS 7.5 (high): Multiple SQL injection vulnerabilities in Dolibarr CMS 3.2.0 Alpha and earlier allow remote authenticated users to execute arbitrary SQL…
CVE-2017-17898 — CVSS 7.5 (high): Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl.php files, which allows remote attackers to obtain sensitive…
CVE-2023-4197 — CVSS 7.5 (high): Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website…
CVE-2012-1226 — CVSS 7.5 (high): Multiple directory traversal vulnerabilities in Dolibarr CMS 3.2.0 Alpha allow remote attackers to read arbitrary files and possibly…
CVE-2024-31503 — CVSS 7.5 (high): Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session…
CVE-2020-35136 — CVSS 7.2 (high): Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the…
CVE-2023-38886 — CVSS 7.2 (high): An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script.
CVE-2026-22666 — CVSS 7.2 (high): Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function…
CVE-2025-67486 — CVSS 7.2 (high): Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier…
CVE-2024-23817 — CVSS 7.1 (high): Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML…
CVE-2017-8879 — CVSS 6.8 (medium): Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the current password, which makes it easier for physically proximate…
CVE-2026-34036 — CVSS 6.5 (medium): Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and…
CVE-2014-3992 — CVSS 6.5 (medium): Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote authenticated users to execute arbitrary SQL commands via the…
CVE-2011-4802 — CVSS 6.5 (medium): Multiple SQL injection vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote authenticated users to execute arbitrary SQL…
CVE-2023-4198 — CVSS 6.5 (medium): Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing…
CVE-2021-33618 — CVSS 6.1 (medium): Dolibarr ERP and CRM 13.0.2 allows XSS via object details, as demonstrated by > and < characters in the onpointermove attribute of a BODY…
CVE-2020-7994 — CVSS 6.1 (medium): Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 10.0.6 allow remote attackers to inject arbitrary web script or HTML via…
CVE-2020-14475 — CVSS 6.1 (medium): A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0.3 allows remote attackers to inject arbitrary web script or HTML into…
CVE-2018-19993 — CVSS 6.1 (medium): A reflected cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote attackers to inject arbitrary web script or HTML via…
CVE-2019-16197 — CVSS 6.1 (medium): In htdocs/societe/card.php in Dolibarr 10.0.1, the value of the User-Agent HTTP header is copied into the HTML document as plain text…
CVE-2013-2092 — CVSS 6.1 (medium): Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
CVE-2017-17971 — CVSS 6.1 (medium): The test_sql_and_script_inject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick…
CVE-2019-1010016 — CVSS 6.1 (medium): Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing. The component is: htdocs/product/stats/card.php…
CVE-2017-1000509 — CVSS 5.4 (medium): Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) vulnerability in Product details that can result in execution of javascript…
CVE-2019-16685 — CVSS 5.4 (medium): Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php. A user with the "Create/modify other users…
CVE-2019-16686 — CVSS 5.4 (medium): Dolibarr 9.0.5 has stored XSS in a User Note section to note.php. A user with no privileges can inject script to attack the admin.
CVE-2019-16687 — CVSS 5.4 (medium): Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php. A user with the "Create/modify other users, groups and…
CVE-2019-16688 — CVSS 5.4 (medium): Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php. A user with no privileges can inject script to attack…
CVE-2019-17576 — CVSS 5.4 (medium): An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the /admin/mails.php?action=edit URI via…
CVE-2019-17577 — CVSS 5.4 (medium): An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via…
CVE-2019-17578 — CVSS 5.4 (medium): An issue was discovered in Dolibarr 10.0.2. It has XSS via the "outgoing email setup" feature in the admin/mails.php?action=edit URI via…
CVE-2019-19206 — CVSS 5.4 (medium): Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to JavaScript execution in an SVG image for a profile picture.
CVE-2020-11823 — CVSS 5.4 (medium): In Dolibarr 10.0.6, if USER_LOGIN_FAILED is active, there is a stored XSS vulnerability on the admin tools --> audit page. This may lead to…
CVE-2020-13239 — CVSS 5.4 (medium): The DMS/ECM module in Dolibarr 11.0.4 renders user-uploaded .html files in the browser when the attachment parameter is removed from the…
CVE-2020-13240 — CVSS 5.4 (medium): The DMS/ECM module in Dolibarr 11.0.4 allows users with the 'Setup documents directories' permission to rename uploaded files to have…
CVE-2020-13828 — CVSS 5.4 (medium): Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers…
CVE-2020-9016 — CVSS 5.4 (medium): Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.
CVE-2022-22293 — CVSS 5.4 (medium): admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstrated by the MAIN_MAX_DECIMALS_TOT parameter.
CVE-2017-9838 — CVSS 5.4 (medium): Dolibarr ERP/CRM is affected by multiple reflected Cross-Site Scripting (XSS) vulnerabilities in versions before 5.0.4: index.php (leftmenu…
CVE-2018-19992 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or…
CVE-2018-19995 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability in Dolibarr 8.0.2 allows remote authenticated users to inject arbitrary web script or…
CVE-2019-11199 — CVSS 5.4 (medium): Dolibarr ERP/CRM 9.0.1 was affected by stored XSS within uploaded files. These vulnerabilities allowed the execution of a JavaScript…
CVE-2021-25956 — CVSS 4.7 (medium): In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s…
CVE-2011-4814 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote attackers to inject arbitrary…
CVE-2021-3991 — CVSS 4.3 (medium): An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. A user with restricted permissions in…
CVE-2011-4329 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 allow remote attackers to inject arbitrary web script or HTML via (1)…