EXECUTIVE SUMMARY:
CVE-2026-23500 with a CVSS score of 9.4 is a critical Remote Code Execution (RCE) vulnerability identified in Dolibarr ERP & CRM, a popular open-source suite used for managing business activities worldwide, affecting all versions up to and including 22.0.4. The flaw resides in the application's document conversion logic within the file htdocs /includes /odtphp /odf .php, where it fails to properly validate or escape the command path before passing it to the exec() function during ODT to PDF conversion. An authenticated administrator or an attacker who has compromised an admin account can exploit this by injecting a malicious payload into the MAIN_ODT_AS_PDF constant via the database, appending a command separator (such as a semicolon) to execute arbitrary operating system commands with the privileges of the web server user, thereby gaining the capability to read configuration files to steal database credentials, directly modify the application's source code, and potentially achieve a full system takeover, including pivoting through the network or escaping containerized environments like Docker, resulting in absolute business impact and consequences if exploited.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-23500 with a CVSS score of 9.4 is a critical Remote Code Execution (RCE) vulnerability identified in Dolibarr ERP & CRM, a popular open-source suite used for managing business activities worldwide, affecting all versions up to and including 22.0.4. The flaw resides in the application's document conversion logic within the file htdocs /includes /odtphp /odf .php, where it fails to properly validate or escape the command path before passing it to the exec() function during ODT to PDF conversion. An authenticated administrator or an attacker who has compromised an admin account can exploit this by injecting a malicious payload into the MAIN_ODT_AS_PDF constant via the database, appending a command separator (such as a semicolon) to execute arbitrary operating system commands with the privileges of the web server user, thereby gaining the capability to read configuration files to steal database credentials, directly modify the application's source code, and potentially achieve a full system takeover, including pivoting through the network or escaping containerized environments like Docker, resulting in absolute business impact and consequences if exploited.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update Dolibarr ERP & CRM to version 23.0.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/dolibarr-rce-vulnerability-cve-2026-23500-pdf-conversion/