CVE-2026-23500

Name of the Vulnerable Software and Affected Versions Dolibarr versions prior to 23.0.0

Description Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. An authenticated administrator can achieve remote code execution as the web server user by injecting arbitrary OS commands into the MAIN ODT AS PDF configuration constant. This occurs during the ODT to PDF conversion process in 'odf.php', where the constant is concatenated directly into a shell command passed to the exec() function without proper sanitization. Approximately 56.8K services are estimated to be affected worldwide.

Recommendations Update to version 23.0.0. As a temporary workaround, restrict administrative access to the configuration settings for the MAIN ODT AS PDF constant to minimize the risk of exploitation.