PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-37711 Dolibarr CVE debrief

A remote code execution vulnerability exists in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and version 24.0.0-alpha. The vulnerability is located in htdocs/core/actions_addupdatedelete.inc.php and allows unauthenticated remote attackers to execute arbitrary code on affected systems. The CVSS 3.1 score of 7.3 (HIGH) reflects network attack vector with low attack complexity, no required privileges, and no user interaction needed. The weakness is categorized as CWE-94 (Improper Control of Generation of Code). The CVE was published on 2026-05-27 and modified later the same day. The vulnerability status in NVD is currently marked as 'Deferred'. A GitHub Security Advisory has been published for this issue, indicating vendor acknowledgment.

Vendor
Dolibarr
Product
Dolibarr ERP/CRM
CVSS
HIGH 7.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 or 24.0.0-alpha in production environments; security teams managing open-source business applications; hosting providers offering Dolibarr-as-a-service; compliance officers responsible for ERP system security posture.

Technical summary

The vulnerability resides in htdocs/core/actions_addupdatedelete.inc.php, a core file in Dolibarr ERP/CRM responsible for handling add, update, and delete operations. The flaw allows remote attackers to inject and execute arbitrary PHP code without authentication. The CVSS vector indicates network-based exploitation with low complexity, requiring no privileges or user interaction. Impact is rated as low for confidentiality, integrity, and availability—suggesting the vulnerability may be constrained by application context or sandboxing, though code execution capability remains critical. The presence of a GitHub Security Advisory indicates the vendor has acknowledged and is addressing the issue.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade to a patched version of Dolibarr ERP/CRM when available; check vendor security advisory for specific fixed version
  • Restrict network access to Dolibarr administrative interfaces to trusted IP ranges until patching is complete
  • Monitor for unauthorized access attempts to htdocs/core/actions_addupdatedelete.inc.php in web server logs
  • Review and validate input sanitization on all endpoints handling dynamic code evaluation
  • Apply principle of least privilege to web server processes running Dolibarr
  • Consider Web Application Firewall (WAF) rules to detect and block suspicious requests to the vulnerable endpoint

Evidence notes

CVE description confirms affected versions (22.0.0-22.0.4, 24.0.0-alpha) and vulnerable file path. CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L confirms network-exploitable, unauthenticated attack. CWE-94 classification indicates code injection weakness. NVD status 'Deferred' suggests analysis ongoing. GitHub Security Advisory GHSA-grw9-6m4w-mhcq confirms vendor security acknowledgment.

Official resources

2026-05-27