Search

Find a vulnerability

Search criteria

    10 vulnerabilities found for ERP CRM by Dolibarr

    CVE-2026-11619 (GCVE-0-2026-11619)

    Vulnerability from nvd – Published: 2026-06-09 02:30 – Updated: 2026-06-09 14:50 X_Open Source
    VLAI
    Title
    Dolibarr ERP CRM Legacy Filemanager config.inc.php improper authorization
    Summary
    A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 23.0.3 is sufficient to resolve this issue. The identifier of the patch is f1b2dd6481e22cacb561d29ffdcd3a50b618479d. Upgrading the affected component is advised.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-285 - Improper Authorization
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    Impacted products
    Vendor Product Version
    Dolibarr ERP CRM Affected: 23.0.0
    Affected: 23.0.1
    Affected: 23.0.2
    Unaffected: 23.0.3
        cpe:2.3:a:dolibarr:erp_crm:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Abderrahmane Aksoum (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11619",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-09T14:49:04.088148Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-09T14:50:39.911Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://vuldb.com/submit/834038"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:dolibarr:erp_crm:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Legacy Filemanager"
              ],
              "product": "ERP CRM",
              "vendor": "Dolibarr",
              "versions": [
                {
                  "status": "affected",
                  "version": "23.0.0"
                },
                {
                  "status": "affected",
                  "version": "23.0.1"
                },
                {
                  "status": "affected",
                  "version": "23.0.2"
                },
                {
                  "status": "unaffected",
                  "version": "23.0.3"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Abderrahmane Aksoum (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 23.0.3 is sufficient to resolve this issue. The identifier of the patch is f1b2dd6481e22cacb561d29ffdcd3a50b618479d. Upgrading the affected component is advised."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-09T02:30:12.759Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-369300 | Dolibarr ERP CRM Legacy Filemanager config.inc.php improper authorization",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/vuln/369300"
            },
            {
              "name": "VDB-369300 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/369300/cti"
            },
            {
              "name": "CVE-2026-11619 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-11619"
            },
            {
              "name": "Submit #834038 | Dolibarr Dolibarr ERP/CRM  up to 23.0.3 Missing Authorization",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/834038"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/dolibarr/dolibarr/commit/f1b2dd6481e22cacb561d29ffdcd3a50b618479d"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/Dolibarr/dolibarr/releases/tag/23.0.3"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-08T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-06-08T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-06-08T22:18:03.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Dolibarr ERP CRM Legacy Filemanager config.inc.php improper authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-11619",
        "datePublished": "2026-06-09T02:30:12.759Z",
        "dateReserved": "2026-06-08T20:12:59.884Z",
        "dateUpdated": "2026-06-09T14:50:39.911Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10215 (GCVE-0-2026-10215)

    Vulnerability from nvd – Published: 2026-06-01 02:15 – Updated: 2026-06-03 17:53 X_Open Source
    VLAI
    Title
    Dolibarr ERP CRM Leave Request REST API api_holidays.class.php checkUserAccessToObject improper authorization
    Summary
    A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 23.0.2 is recommended to address this issue. The identifier of the patch is ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73. Upgrading the affected component is advised.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-285 - Improper Authorization
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    Impacted products
    Vendor Product Version
    Dolibarr ERP CRM Affected: 23.0.0
    Affected: 23.0.1
    Unaffected: 23.0.2
        cpe:2.3:a:dolibarr:erp_crm:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Mitch311 (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10215",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T17:51:45.697233Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T17:53:15.068Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/Dolibarr/dolibarr/issues/37752"
              },
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/Dolibarr/dolibarr/issues/37752#issuecomment-4304055921"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:dolibarr:erp_crm:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Leave Request REST API"
              ],
              "product": "ERP CRM",
              "vendor": "Dolibarr",
              "versions": [
                {
                  "status": "affected",
                  "version": "23.0.0"
                },
                {
                  "status": "affected",
                  "version": "23.0.1"
                },
                {
                  "status": "unaffected",
                  "version": "23.0.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Mitch311 (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 23.0.2 is recommended to address this issue. The identifier of the patch is ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73. Upgrading the affected component is advised."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-01T02:15:09.249Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-367494 | Dolibarr ERP CRM Leave Request REST API api_holidays.class.php checkUserAccessToObject improper authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/367494"
            },
            {
              "name": "VDB-367494 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/367494/cti"
            },
            {
              "name": "CVE-2026-10215 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-10215"
            },
            {
              "name": "Submit #821930 | Dolibarr Dolibarr ERP/CRM \u003c=23.0.1 Incorrect Authorization",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/821930"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/Dolibarr/dolibarr/issues/37752"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/Dolibarr/dolibarr/issues/37752#issuecomment-4304055921"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/user-attachments/files/26487388/2_Dolibarr_Leave_Request_API_Horizontal_Unauthorized_Read_en.pdf"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/Dolibarr/dolibarr/commit/ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/Dolibarr/dolibarr/releases/tag/23.0.2"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-31T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-05-31T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-05-31T09:37:43.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Dolibarr ERP CRM Leave Request REST API api_holidays.class.php checkUserAccessToObject improper authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-10215",
        "datePublished": "2026-06-01T02:15:09.249Z",
        "dateReserved": "2026-05-31T07:32:35.727Z",
        "dateUpdated": "2026-06-03T17:53:15.068Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10154 (GCVE-0-2026-10154)

    Vulnerability from nvd – Published: 2026-05-30 23:00 – Updated: 2026-06-01 15:07 X_Open Source
    VLAI
    Title
    Dolibarr ERP CRM messaging.php authorization
    Summary
    A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to version 23.0.3 is sufficient to fix this issue. The name of the patch is 119b3606c7a701747a57a1f18b1a9e7666f678e2. It is suggested to upgrade the affected component.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Dolibarr ERP CRM Affected: 23.0.0
    Affected: 23.0.1
    Affected: 23.0.2
    Unaffected: 23.0.3
        cpe:2.3:a:dolibarr:erp_crm:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Abderrahmane Aksoum (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10154",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-01T15:07:46.108145Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-01T15:07:52.012Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://vuldb.com/submit/818838"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:dolibarr:erp_crm:*:*:*:*:*:*:*:*"
              ],
              "product": "ERP CRM",
              "vendor": "Dolibarr",
              "versions": [
                {
                  "status": "affected",
                  "version": "23.0.0"
                },
                {
                  "status": "affected",
                  "version": "23.0.1"
                },
                {
                  "status": "affected",
                  "version": "23.0.2"
                },
                {
                  "status": "unaffected",
                  "version": "23.0.3"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Abderrahmane Aksoum (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to version 23.0.3 is sufficient to fix this issue. The name of the patch is 119b3606c7a701747a57a1f18b1a9e7666f678e2. It is suggested to upgrade the affected component."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "Authorization Bypass",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-30T23:00:13.659Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-367407 | Dolibarr ERP CRM messaging.php authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/367407"
            },
            {
              "name": "VDB-367407 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/367407/cti"
            },
            {
              "name": "Submit #818838 | Dolibarr ERP CRM 23.0.0 23.0.1 23.0.2 Trusting HTTP Permission Methods on the Server Side",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/818838"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/dolibarr/dolibarr/commit/119b3606c7a701747a57a1f18b1a9e7666f678e2"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/Dolibarr/dolibarr/releases/tag/23.0.3"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-30T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-05-30T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-05-30T07:57:44.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Dolibarr ERP CRM messaging.php authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-10154",
        "datePublished": "2026-05-30T23:00:13.659Z",
        "dateReserved": "2026-05-30T05:52:24.717Z",
        "dateUpdated": "2026-06-01T15:07:52.012Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7689 (GCVE-0-2026-7689)

    Vulnerability from nvd – Published: 2026-05-03 09:30 – Updated: 2026-05-04 13:07 X_Open Source
    VLAI
    Title
    Dolibarr ERP CRM Online Signature security.lib.php dol_verifyHash signature verification
    Summary
    A security flaw has been discovered in Dolibarr ERP CRM up to 23.0.2. This vulnerability affects the function dol_verifyHash in the library htdocs/core/lib/security.lib.php of the component Online Signature Module. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/360859 vdb-entrytechnical-description
    https://vuldb.com/vuln/360859/cti signaturepermissions-required
    https://vuldb.com/submit/801794 third-party-advisory
    https://gist.github.com/Shaon-Xis/d6ae069fc54f006… exploit
    Impacted products
    Vendor Product Version
    Dolibarr ERP CRM Affected: 23.0.0
    Affected: 23.0.1
    Affected: 23.0.2
    Create a notification for this product.
    Credits
    yan1451 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7689",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-04T13:07:21.137379Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-04T13:07:29.907Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Online Signature Module"
              ],
              "product": "ERP CRM",
              "vendor": "Dolibarr",
              "versions": [
                {
                  "status": "affected",
                  "version": "23.0.0"
                },
                {
                  "status": "affected",
                  "version": "23.0.1"
                },
                {
                  "status": "affected",
                  "version": "23.0.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "yan1451 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in Dolibarr ERP CRM up to 23.0.2. This vulnerability affects the function dol_verifyHash in the library htdocs/core/lib/security.lib.php of the component Online Signature Module. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 2.6,
                "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-03T09:30:13.135Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-360859 | Dolibarr ERP CRM Online Signature security.lib.php dol_verifyHash signature verification",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/360859"
            },
            {
              "name": "VDB-360859 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/360859/cti"
            },
            {
              "name": "Submit #801794 | Dolibarr Dolibarr ERP/CRM 23.0.2 Authentication Bypass Issues",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/801794"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/Shaon-Xis/d6ae069fc54f006457b68a91d5a8e158"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-02T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-05-02T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-05-02T18:32:35.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Dolibarr ERP CRM Online Signature security.lib.php dol_verifyHash signature verification"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-7689",
        "datePublished": "2026-05-03T09:30:13.135Z",
        "dateReserved": "2026-05-02T16:27:26.747Z",
        "dateUpdated": "2026-05-04T13:07:29.907Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7688 (GCVE-0-2026-7688)

    Vulnerability from nvd – Published: 2026-05-03 09:15 – Updated: 2026-05-05 19:48 X_Open Source
    VLAI
    Title
    Dolibarr ERP CRM Shipments API Endpoint expedition.class.php _checkValForAPI sql injection
    Summary
    A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/360858 vdb-entrytechnical-description
    https://vuldb.com/vuln/360858/cti signaturepermissions-required
    https://vuldb.com/submit/799337 third-party-advisory
    Impacted products
    Vendor Product Version
    Dolibarr ERP CRM Affected: 23.0.0
    Affected: 23.0.1
    Affected: 23.0.2
    Create a notification for this product.
    Credits
    Chris Oakley chris00 (VulDB User) chris00 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7688",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-05T19:47:51.447186Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-05T19:48:37.202Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://vuldb.com/submit/799337"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Shipments API Endpoint"
              ],
              "product": "ERP CRM",
              "vendor": "Dolibarr",
              "versions": [
                {
                  "status": "affected",
                  "version": "23.0.0"
                },
                {
                  "status": "affected",
                  "version": "23.0.1"
                },
                {
                  "status": "affected",
                  "version": "23.0.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Chris Oakley"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "chris00 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "chris00 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4.6,
                "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-03T09:15:11.998Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-360858 | Dolibarr ERP CRM Shipments API Endpoint expedition.class.php _checkValForAPI sql injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/360858"
            },
            {
              "name": "VDB-360858 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/360858/cti"
            },
            {
              "name": "Submit #799337 | Dolibarr Dolibarr ERP CRM 23.0.2 and earlier SQL Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/799337"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-02T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-05-02T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-05-02T21:49:01.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Dolibarr ERP CRM Shipments API Endpoint expedition.class.php _checkValForAPI sql injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-7688",
        "datePublished": "2026-05-03T09:15:11.998Z",
        "dateReserved": "2026-05-02T16:27:22.949Z",
        "dateUpdated": "2026-05-05T19:48:37.202Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11619 (GCVE-0-2026-11619)

    Vulnerability from cvelistv5 – Published: 2026-06-09 02:30 – Updated: 2026-06-09 14:50 X_Open Source
    VLAI
    Title
    Dolibarr ERP CRM Legacy Filemanager config.inc.php improper authorization
    Summary
    A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 23.0.3 is sufficient to resolve this issue. The identifier of the patch is f1b2dd6481e22cacb561d29ffdcd3a50b618479d. Upgrading the affected component is advised.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-285 - Improper Authorization
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    Impacted products
    Vendor Product Version
    Dolibarr ERP CRM Affected: 23.0.0
    Affected: 23.0.1
    Affected: 23.0.2
    Unaffected: 23.0.3
        cpe:2.3:a:dolibarr:erp_crm:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Abderrahmane Aksoum (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11619",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-09T14:49:04.088148Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-09T14:50:39.911Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://vuldb.com/submit/834038"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:dolibarr:erp_crm:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Legacy Filemanager"
              ],
              "product": "ERP CRM",
              "vendor": "Dolibarr",
              "versions": [
                {
                  "status": "affected",
                  "version": "23.0.0"
                },
                {
                  "status": "affected",
                  "version": "23.0.1"
                },
                {
                  "status": "affected",
                  "version": "23.0.2"
                },
                {
                  "status": "unaffected",
                  "version": "23.0.3"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Abderrahmane Aksoum (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 23.0.3 is sufficient to resolve this issue. The identifier of the patch is f1b2dd6481e22cacb561d29ffdcd3a50b618479d. Upgrading the affected component is advised."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-09T02:30:12.759Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-369300 | Dolibarr ERP CRM Legacy Filemanager config.inc.php improper authorization",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/vuln/369300"
            },
            {
              "name": "VDB-369300 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/369300/cti"
            },
            {
              "name": "CVE-2026-11619 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-11619"
            },
            {
              "name": "Submit #834038 | Dolibarr Dolibarr ERP/CRM  up to 23.0.3 Missing Authorization",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/834038"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/dolibarr/dolibarr/commit/f1b2dd6481e22cacb561d29ffdcd3a50b618479d"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/Dolibarr/dolibarr/releases/tag/23.0.3"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-08T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-06-08T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-06-08T22:18:03.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Dolibarr ERP CRM Legacy Filemanager config.inc.php improper authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-11619",
        "datePublished": "2026-06-09T02:30:12.759Z",
        "dateReserved": "2026-06-08T20:12:59.884Z",
        "dateUpdated": "2026-06-09T14:50:39.911Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10215 (GCVE-0-2026-10215)

    Vulnerability from cvelistv5 – Published: 2026-06-01 02:15 – Updated: 2026-06-03 17:53 X_Open Source
    VLAI
    Title
    Dolibarr ERP CRM Leave Request REST API api_holidays.class.php checkUserAccessToObject improper authorization
    Summary
    A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 23.0.2 is recommended to address this issue. The identifier of the patch is ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73. Upgrading the affected component is advised.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-285 - Improper Authorization
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    Impacted products
    Vendor Product Version
    Dolibarr ERP CRM Affected: 23.0.0
    Affected: 23.0.1
    Unaffected: 23.0.2
        cpe:2.3:a:dolibarr:erp_crm:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Mitch311 (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10215",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-03T17:51:45.697233Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-03T17:53:15.068Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/Dolibarr/dolibarr/issues/37752"
              },
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/Dolibarr/dolibarr/issues/37752#issuecomment-4304055921"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:dolibarr:erp_crm:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Leave Request REST API"
              ],
              "product": "ERP CRM",
              "vendor": "Dolibarr",
              "versions": [
                {
                  "status": "affected",
                  "version": "23.0.0"
                },
                {
                  "status": "affected",
                  "version": "23.0.1"
                },
                {
                  "status": "unaffected",
                  "version": "23.0.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Mitch311 (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 23.0.2 is recommended to address this issue. The identifier of the patch is ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73. Upgrading the affected component is advised."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-01T02:15:09.249Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-367494 | Dolibarr ERP CRM Leave Request REST API api_holidays.class.php checkUserAccessToObject improper authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/367494"
            },
            {
              "name": "VDB-367494 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/367494/cti"
            },
            {
              "name": "CVE-2026-10215 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-10215"
            },
            {
              "name": "Submit #821930 | Dolibarr Dolibarr ERP/CRM \u003c=23.0.1 Incorrect Authorization",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/821930"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/Dolibarr/dolibarr/issues/37752"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/Dolibarr/dolibarr/issues/37752#issuecomment-4304055921"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/user-attachments/files/26487388/2_Dolibarr_Leave_Request_API_Horizontal_Unauthorized_Read_en.pdf"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/Dolibarr/dolibarr/commit/ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/Dolibarr/dolibarr/releases/tag/23.0.2"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-31T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-05-31T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-05-31T09:37:43.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Dolibarr ERP CRM Leave Request REST API api_holidays.class.php checkUserAccessToObject improper authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-10215",
        "datePublished": "2026-06-01T02:15:09.249Z",
        "dateReserved": "2026-05-31T07:32:35.727Z",
        "dateUpdated": "2026-06-03T17:53:15.068Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10154 (GCVE-0-2026-10154)

    Vulnerability from cvelistv5 – Published: 2026-05-30 23:00 – Updated: 2026-06-01 15:07 X_Open Source
    VLAI
    Title
    Dolibarr ERP CRM messaging.php authorization
    Summary
    A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to version 23.0.3 is sufficient to fix this issue. The name of the patch is 119b3606c7a701747a57a1f18b1a9e7666f678e2. It is suggested to upgrade the affected component.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Dolibarr ERP CRM Affected: 23.0.0
    Affected: 23.0.1
    Affected: 23.0.2
    Unaffected: 23.0.3
        cpe:2.3:a:dolibarr:erp_crm:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Abderrahmane Aksoum (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10154",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-01T15:07:46.108145Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-01T15:07:52.012Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://vuldb.com/submit/818838"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:dolibarr:erp_crm:*:*:*:*:*:*:*:*"
              ],
              "product": "ERP CRM",
              "vendor": "Dolibarr",
              "versions": [
                {
                  "status": "affected",
                  "version": "23.0.0"
                },
                {
                  "status": "affected",
                  "version": "23.0.1"
                },
                {
                  "status": "affected",
                  "version": "23.0.2"
                },
                {
                  "status": "unaffected",
                  "version": "23.0.3"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Abderrahmane Aksoum (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to version 23.0.3 is sufficient to fix this issue. The name of the patch is 119b3606c7a701747a57a1f18b1a9e7666f678e2. It is suggested to upgrade the affected component."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "Authorization Bypass",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-30T23:00:13.659Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-367407 | Dolibarr ERP CRM messaging.php authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/367407"
            },
            {
              "name": "VDB-367407 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/367407/cti"
            },
            {
              "name": "Submit #818838 | Dolibarr ERP CRM 23.0.0 23.0.1 23.0.2 Trusting HTTP Permission Methods on the Server Side",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/818838"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/dolibarr/dolibarr/commit/119b3606c7a701747a57a1f18b1a9e7666f678e2"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/Dolibarr/dolibarr/releases/tag/23.0.3"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-30T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-05-30T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-05-30T07:57:44.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Dolibarr ERP CRM messaging.php authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-10154",
        "datePublished": "2026-05-30T23:00:13.659Z",
        "dateReserved": "2026-05-30T05:52:24.717Z",
        "dateUpdated": "2026-06-01T15:07:52.012Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7689 (GCVE-0-2026-7689)

    Vulnerability from cvelistv5 – Published: 2026-05-03 09:30 – Updated: 2026-05-04 13:07 X_Open Source
    VLAI
    Title
    Dolibarr ERP CRM Online Signature security.lib.php dol_verifyHash signature verification
    Summary
    A security flaw has been discovered in Dolibarr ERP CRM up to 23.0.2. This vulnerability affects the function dol_verifyHash in the library htdocs/core/lib/security.lib.php of the component Online Signature Module. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/360859 vdb-entrytechnical-description
    https://vuldb.com/vuln/360859/cti signaturepermissions-required
    https://vuldb.com/submit/801794 third-party-advisory
    https://gist.github.com/Shaon-Xis/d6ae069fc54f006… exploit
    Impacted products
    Vendor Product Version
    Dolibarr ERP CRM Affected: 23.0.0
    Affected: 23.0.1
    Affected: 23.0.2
    Create a notification for this product.
    Credits
    yan1451 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7689",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-04T13:07:21.137379Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-04T13:07:29.907Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Online Signature Module"
              ],
              "product": "ERP CRM",
              "vendor": "Dolibarr",
              "versions": [
                {
                  "status": "affected",
                  "version": "23.0.0"
                },
                {
                  "status": "affected",
                  "version": "23.0.1"
                },
                {
                  "status": "affected",
                  "version": "23.0.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "yan1451 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in Dolibarr ERP CRM up to 23.0.2. This vulnerability affects the function dol_verifyHash in the library htdocs/core/lib/security.lib.php of the component Online Signature Module. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 2.6,
                "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-03T09:30:13.135Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-360859 | Dolibarr ERP CRM Online Signature security.lib.php dol_verifyHash signature verification",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/360859"
            },
            {
              "name": "VDB-360859 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/360859/cti"
            },
            {
              "name": "Submit #801794 | Dolibarr Dolibarr ERP/CRM 23.0.2 Authentication Bypass Issues",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/801794"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/Shaon-Xis/d6ae069fc54f006457b68a91d5a8e158"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-02T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-05-02T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-05-02T18:32:35.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Dolibarr ERP CRM Online Signature security.lib.php dol_verifyHash signature verification"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-7689",
        "datePublished": "2026-05-03T09:30:13.135Z",
        "dateReserved": "2026-05-02T16:27:26.747Z",
        "dateUpdated": "2026-05-04T13:07:29.907Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7688 (GCVE-0-2026-7688)

    Vulnerability from cvelistv5 – Published: 2026-05-03 09:15 – Updated: 2026-05-05 19:48 X_Open Source
    VLAI
    Title
    Dolibarr ERP CRM Shipments API Endpoint expedition.class.php _checkValForAPI sql injection
    Summary
    A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/360858 vdb-entrytechnical-description
    https://vuldb.com/vuln/360858/cti signaturepermissions-required
    https://vuldb.com/submit/799337 third-party-advisory
    Impacted products
    Vendor Product Version
    Dolibarr ERP CRM Affected: 23.0.0
    Affected: 23.0.1
    Affected: 23.0.2
    Create a notification for this product.
    Credits
    Chris Oakley chris00 (VulDB User) chris00 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7688",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-05T19:47:51.447186Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-05T19:48:37.202Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://vuldb.com/submit/799337"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Shipments API Endpoint"
              ],
              "product": "ERP CRM",
              "vendor": "Dolibarr",
              "versions": [
                {
                  "status": "affected",
                  "version": "23.0.0"
                },
                {
                  "status": "affected",
                  "version": "23.0.1"
                },
                {
                  "status": "affected",
                  "version": "23.0.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Chris Oakley"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "chris00 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "chris00 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4.6,
                "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-03T09:15:11.998Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-360858 | Dolibarr ERP CRM Shipments API Endpoint expedition.class.php _checkValForAPI sql injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/360858"
            },
            {
              "name": "VDB-360858 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/360858/cti"
            },
            {
              "name": "Submit #799337 | Dolibarr Dolibarr ERP CRM 23.0.2 and earlier SQL Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/799337"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-02T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-05-02T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-05-02T21:49:01.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Dolibarr ERP CRM Shipments API Endpoint expedition.class.php _checkValForAPI sql injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-7688",
        "datePublished": "2026-05-03T09:15:11.998Z",
        "dateReserved": "2026-05-02T16:27:22.949Z",
        "dateUpdated": "2026-05-05T19:48:37.202Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }