CVE-2026-37713 Dolibarr CVE debrief

Who should care

Organizations running Dolibarr ERP/CRM versions 22.0.0-22.0.4 or 24.0.0-alpha; security teams managing open-source business applications; Dolibarr hosting providers

Technical summary

The vulnerability resides in the commonobject.class.php file within Dolibarr's core class library. Affected versions include the 22.0.x stable branch (22.0.0 through 22.0.4) and the 24.0.0-alpha development release. The flaw enables remote attackers to execute arbitrary code. The exact technical mechanism is not detailed in available sources; defenders should monitor the GitHub Security Advisory for technical details and remediation guidance.

Defensive priority

high

Recommended defensive actions

• Review Dolibarr ERP/CRM installations for versions 22.0.0-22.0.4 and 24.0.0-alpha
• Monitor GitHub Security Advisory GHSA-cq92-jp5j-rwvj for patch availability
• Apply security updates when released by the Dolibarr project
• Restrict network access to Dolibarr administrative interfaces pending patch
• Review access logs for suspicious activity targeting commonobject.class.php

Evidence notes

Vulnerability affects Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha. Attack vector is remote code execution via htdocs/core/class/commonobject.class.php. Source references include a GitHub Security Advisory (GHSA-cq92-jp5j-rwvj) and a security research publication. NVD status is Deferred; no CVSS vector or weaknesses are currently populated.

Official resources