Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" field is passed to PHP's `eval()` function without adequate sanitization, allowing authenticated administrators to execute arbitrary PHP code on the server. As of time of publication, no patched versions are available.
References
Configurations
History
12 May 2026, 20:54
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:dolibarr:dolibarr_erp\/crm:*:*:*:*:*:*:*:* | |
| References | () https://github.com/Dolibarr/dolibarr/blob/22.0.2/htdocs/core/lib/functions.lib.php - Patch | |
| References | () https://medium.com/@abduxalilovjavohir/dolibarr-erp-authenticated-remote-code-execution-via-eval-injection-in-user-extrafields-dfc305d0118e - Exploit, Third Party Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.2 |
| First Time |
Dolibarr dolibarr Erp\/crm
Dolibarr |
08 May 2026, 15:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-08 15:16
Updated : 2026-05-12 20:54
NVD link : CVE-2025-67486
Mitre link : CVE-2025-67486
CVE.ORG link : CVE-2025-67486
JSON object : View
Products Affected
dolibarr
- dolibarr_erp\/crm
CWE
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')