CVE-2026-7688

CVSS v3.1

5.0

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Dolibarr ERP CRM versions prior to 23.0.3

Description A SQL injection issue exists in the Shipments API Endpoint. The flaw is located within the checkValForAPI() function of the file htdocs/expedition/class/expedition.class.php. Remote attackers can exploit this by manipulating the fields argument. This attack requires a high degree of complexity and is considered difficult to execute.

Recommendations Update to a version later than 23.0.2. As a temporary workaround, restrict access to the Shipments API Endpoint or avoid using the fields argument in the checkValForAPI() function until a patch is applied.

Exploit

Fix

Special Elements Injection

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-89

Related Identifiers

CVE-2026-7688

GHSA-RVWR-Q5HJ-WQ7G

Affected Products

Dolibarr Erp/Crm

CVE-2026-7688

Weakness Enumeration

Related Identifiers

Affected Products

References · 14