Cyber Resilience

CVE-2025-67486

HighPublic PoC

Published: 08 May 2026

Published
08 May 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0088 54.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-67486 is a high-severity Injection (CWE-74) vulnerability in Dolibarr Dolibarr Erp\/Crm. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 45.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" field is passed to…

more

PHP's `eval()` function without adequate sanitization, allowing authenticated administrators to execute arbitrary PHP code on the server. As of time of publication, no patched versions are available.

CWE(s)

Related Threats

CVEs Like This One

CVE-2018-25357Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2026-31018Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2026-22666Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2025-56588Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2019-25710Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2024-55228Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2026-23500Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2026-31019Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2019-25452Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2024-55227Same product: Dolibarr Dolibarr Erp\/Crm

Affected Assets

dolibarr
dolibarr erp\/crm
≤ 22.0.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References