Cyber Resilience

CVE-2026-23500

CriticalPublic PoCRCE

Published: 17 April 2026

Published
17 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0092 55.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-23500 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dolibarr Dolibarr Erp\/Crm. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23500 is an OS command injection vulnerability (CWE-78) in Dolibarr, an open-source enterprise resource planning (ERP) and customer relationship management (CRM) software package. The issue affects versions prior to 23.0.0 and resides in the ODT to PDF conversion process within the odf.php file. Specifically, the MAIN_ODT_AS_PDF configuration constant is concatenated directly into a shell command passed to the exec() function without proper sanitization, enabling command injection.

An authenticated administrator can exploit this vulnerability by injecting arbitrary OS commands into the MAIN_ODT_AS_PDF constant using command separators. Exploitation occurs when any ODT template is generated, resulting in remote code execution (RCE) with the privileges of the web server user. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and potential for complete system compromise.

The Dolibarr security advisory (GHSA-w5j3-8fcr-h87w) and release notes for version 23.0.0 confirm that the issue has been addressed in that update, recommending immediate upgrades for affected installations. Practitioners should verify configurations and audit any custom MAIN_ODT_AS_PDF settings prior to patching.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to…

more

exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

OS command injection in web app directly enables RCE via T1190 (public-facing app exploitation) and T1059 (arbitrary command execution through shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31019Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2026-22666Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2019-25710Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2019-25450Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2019-25452Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2026-31018Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2024-55227Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2018-25357Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2024-55228Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2025-56588Same product: Dolibarr Dolibarr Erp\/Crm

Affected Assets

dolibarr
dolibarr erp\/crm
≤ 23.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of configuration inputs like MAIN_ODT_AS_PDF before concatenation into shell commands via exec(), preventing OS command injection.

prevent

Mandates timely remediation of known flaws, such as patching Dolibarr to version 23.0.0 to fix the unsanitized exec() usage in odf.php.

prevent

Enforces secure baseline configuration settings to restrict dangerous values in constants like MAIN_ODT_AS_PDF, reducing injection risk.

References