CVE-2026-23500
Published: 17 April 2026
Summary
CVE-2026-23500 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dolibarr Dolibarr Erp\/Crm. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of configuration inputs like MAIN_ODT_AS_PDF before concatenation into shell commands via exec(), preventing OS command injection.
Mandates timely remediation of known flaws, such as patching Dolibarr to version 23.0.0 to fix the unsanitized exec() usage in odf.php.
Enforces secure baseline configuration settings to restrict dangerous values in constants like MAIN_ODT_AS_PDF, reducing injection risk.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in web app directly enables RCE via T1190 (public-facing app exploitation) and T1059 (arbitrary command execution through shell).
NVD Description
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to…
more
exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0.
Deeper analysisAI
CVE-2026-23500 is an OS command injection vulnerability (CWE-78) in Dolibarr, an open-source enterprise resource planning (ERP) and customer relationship management (CRM) software package. The issue affects versions prior to 23.0.0 and resides in the ODT to PDF conversion process within the odf.php file. Specifically, the MAIN_ODT_AS_PDF configuration constant is concatenated directly into a shell command passed to the exec() function without proper sanitization, enabling command injection.
An authenticated administrator can exploit this vulnerability by injecting arbitrary OS commands into the MAIN_ODT_AS_PDF constant using command separators. Exploitation occurs when any ODT template is generated, resulting in remote code execution (RCE) with the privileges of the web server user. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and potential for complete system compromise.
The Dolibarr security advisory (GHSA-w5j3-8fcr-h87w) and release notes for version 23.0.0 confirm that the issue has been addressed in that update, recommending immediate upgrades for affected installations. Practitioners should verify configurations and audit any custom MAIN_ODT_AS_PDF settings prior to patching.
Details
- CWE(s)