What is CVE-2025-67486?

CVE-2025-67486 is a high-severity vulnerability in Dolibarr, classified under Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection). CVSS score: 7.2/10. Published 2026-05-08.

How severe is CVE-2025-67486?

High severity. CVSS v3 base score is 7.2 out of 10.

Vulnerability in Dolibarr

CVE-2025-67486

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality…

EPSS: 0.003 (55.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Affected products

Dolibarr — versions <= 22.0.2
Dolibarr Dolibarr_erp\/crm

Weakness classification (CWE)

CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)

References

security-advisories@github.com (x_refsource_CONFIRM, Exploit, Third Party Advisory)
security-advisories@github.com (Patch, x_refsource_MISC)

Frequently asked questions

What is CVE-2025-67486?: CVE-2025-67486 is a high-severity vulnerability in Dolibarr, classified under Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection). CVSS score: 7.2/10. Published 2026-05-08.
How severe is CVE-2025-67486?: High severity. CVSS v3 base score is 7.2 out of 10.