What is CVE-2026-23500?

CVE-2026-23500 is a critical-severity vulnerability in Dolibarr, classified under OS Command Injection. CVSS score: 9.1/10. Published 2026-04-17.

How severe is CVE-2026-23500?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Is CVE-2026-23500 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Dolibarr

CVE-2026-23500

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration consta…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.002 (37.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.

Affected products

Dolibarr — versions < 23.0.0
Dolibarr Dolibarr_erp\/crm

Weakness classification (CWE)

CWE-78 — OS Command Injection

Public proof-of-concept exploits

lukasz-rybak/CVE-2026-23500

References

https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w (x_refsource_CONFIRM, Exploit, Vendor Advisory)
https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0 (Product, x_refsource_MISC, Release Notes)

Frequently asked questions

What is CVE-2026-23500?: CVE-2026-23500 is a critical-severity vulnerability in Dolibarr, classified under OS Command Injection. CVSS score: 9.1/10. Published 2026-04-17.
How severe is CVE-2026-23500?: Critical severity. CVSS v3 base score is 9.1 out of 10.
Is CVE-2026-23500 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.