CVE-2026-23500

CriticalPublic PoC

Published: 17 April 2026

Published

17 April 2026

Modified

01 May 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0011 28.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to…

exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of configuration inputs like MAIN_ODT_AS_PDF before concatenation into shell commands via exec(), preventing OS command injection.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of known flaws, such as patching Dolibarr to version 23.0.0 to fix the unsanitized exec() usage in odf.php.

CM-6 Configuration Settings partial match

prevent

Enforces secure baseline configuration settings to restrict dangerous values in constants like MAIN_ODT_AS_PDF, reducing injection risk.

Security SummaryAI

CVE-2026-23500 is an OS command injection vulnerability (CWE-78) in Dolibarr, an open-source enterprise resource planning (ERP) and customer relationship management (CRM) software package. The issue affects versions prior to 23.0.0 and resides in the ODT to PDF conversion process within the odf.php file. Specifically, the MAIN_ODT_AS_PDF configuration constant is concatenated directly into a shell command passed to the exec() function without proper sanitization, enabling command injection.

An authenticated administrator can exploit this vulnerability by injecting arbitrary OS commands into the MAIN_ODT_AS_PDF constant using command separators. Exploitation occurs when any ODT template is generated, resulting in remote code execution (RCE) with the privileges of the web server user. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and potential for complete system compromise.

The Dolibarr security advisory (GHSA-w5j3-8fcr-h87w) and release notes for version 23.0.0 confirm that the issue has been addressed in that update, recommending immediate upgrades for affected installations. Practitioners should verify configurations and audit any custom MAIN_ODT_AS_PDF settings prior to patching.

Details

CWE(s): CWE-78

Affected Products

dolibarr

dolibarr erp\/crm

≤ 23.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

OS command injection in web app directly enables RCE via T1190 (public-facing app exploitation) and T1059 (arbitrary command execution through shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0
Product, Release Notes · security-advisories@github.com
https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w
Exploit, Vendor Advisory · security-advisories@github.com