PT-2026-39008 · Dolibarr · Dolibarr
Published
2026-05-08
·
Updated
2026-05-12
·
CVE-2025-67486
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Dolibarr versions 22.0.2 and earlier
Description
An authenticated remote code execution issue exists in the user extrafields functionality of this ERP and CRM software. User-controlled input from the "computed value" field is passed to the PHP
eval() function without adequate sanitization, which allows authenticated administrators to execute arbitrary PHP code on the server.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
RCE
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dolibarr