PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-37712 Dolibarr CVE debrief

CVE-2026-37712 describes a remote code execution vulnerability in Dolibarr ERP/CRM affecting versions 22.0.0 through 22.0.4 and version 24.0.0-alpha. The issue resides in htdocs/cron/class/cronjob.class.php where unsafe use of call_user_func_array() in job type processing allows attackers to execute arbitrary code. The vulnerability was published to NVD on 2026-05-27 and modified later the same day. The CVE record status is currently Deferred, indicating the entry may be awaiting additional analysis or vendor coordination. Two source references are available: a security research blog post and a GitHub Security Advisory. No CVSS score or severity rating has been assigned in the source data. The vulnerability is not listed in CISA KEV.

Vendor
Dolibarr
Product
ERP/CRM
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Dolibarr ERP/CRM versions 22.0.0-22.0.4 or 24.0.0-alpha; security teams monitoring PHP application vulnerabilities; incident responders tracking ERP/CRM exploitation campaigns

Technical summary

The vulnerability exists in htdocs/cron/class/cronjob.class.php where the call_user_func_array() function is used to invoke job type handlers without adequate input validation or sandboxing. This allows remote attackers to inject and execute arbitrary PHP functions through manipulated cron job configurations. The affected code path is triggered during cron job execution, potentially enabling unauthenticated or authenticated remote code execution depending on access controls surrounding the cron subsystem.

Defensive priority

high

Recommended defensive actions

  • Review Dolibarr ERP/CRM installations for affected versions (22.0.0-22.0.4, 24.0.0-alpha)
  • Monitor GitHub Security Advisory GHSA-c2jp-w9cj-6cx4 for vendor patch releases
  • Restrict access to cron job functionality to authenticated administrative users only
  • Apply principle of least privilege to cron job execution contexts
  • Review custom cron job configurations for unexpected function callbacks
  • Await NVD reanalysis for CVSS scoring and CPE applicability data

Evidence notes

Vulnerability affects Dolibarr ERP/CRM v.22.0.0-v.22.0.4 and v.24.0.0-alpha. Root cause is unsafe call_user_func_array() usage in cron job class. NVD status is Deferred as of 2026-05-27.

Official resources

2026-05-27