These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 23.0.3 is sufficient [truncated]
CVE-2026-10215 is a LOW-severity improper authorization vulnerability in Dolibarr ERP CRM versions up to 23.0.1, affecting the Leave Request REST API. The flaw resides in the `checkUserAccessToObject` function within `htdocs/holiday/class/api_holidays.class.php`, where insufficient access controls allow an authenticated, remote attacker to perform unauthorized operations on leave request records. The CVSS [truncated]
A medium-severity authorization bypass vulnerability exists in Dolibarr ERP CRM versions 23.0.0 through 23.0.2. The vulnerability is located in an unspecified function within htdocs/user/messaging.php, where manipulation of the ID parameter allows an attacker to bypass authorization controls. The attack vector is network-based and can be executed remotely. The vulnerability was published on 2026-05-31. Th [truncated]
A remote code execution vulnerability exists in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and version 24.0.0-alpha. The vulnerability is located in htdocs/core/class/commonobject.class.php and allows a remote attacker to execute arbitrary code. The CVE was published on 2026-05-27 and subsequently modified the same day. The vulnerability status is currently marked as Deferred in the NVD. Two source r [truncated]
CVE-2026-37712 describes a remote code execution vulnerability in Dolibarr ERP/CRM affecting versions 22.0.0 through 22.0.4 and version 24.0.0-alpha. The issue resides in htdocs/cron/class/cronjob.class.php where unsafe use of call_user_func_array() in job type processing allows attackers to execute arbitrary code. The vulnerability was published to NVD on 2026-05-27 and modified later the same day. The C [truncated]
A remote code execution vulnerability exists in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and version 24.0.0-alpha. The vulnerability is located in htdocs/core/actions_addupdatedelete.inc.php and allows unauthenticated remote attackers to execute arbitrary code on affected systems. The CVSS 3.1 score of 7.3 (HIGH) reflects network attack vector with low attack complexity, no required privileges, and [truncated]
A critical remote code execution vulnerability exists in Dolibarr ERP CRM 7.0.3. The vulnerability allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious payloads through the db_name parameter during the installation process. The attack vector involves sending a POST request to install/step1.php with crafted PHP code in the db_name parameter, followed by command execution vi [truncated]
CVE-2026-31018 is a high-severity vulnerability in Dolibarr ERP & CRM 22.0.4 and earlier. The vulnerability allows an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation. This issue arises from inconsistent application of PHP code detection and editing permission enforcement in the Website module.