Dolibarr OS Command Injection via MAIN_ODT_AS_PDF Configuration

hello@craftedsignal.io — Sat, 18 Apr 2026 12:00:00 +0000

Dolibarr, a popular open-source ERP and CRM system, is susceptible to OS Command Injection (RCE) in versions up to 22.0.4. This vulnerability, identified as CVE-2026-23500, stems from insufficient validation of the MAIN_ODT_AS_PDF configuration setting. An attacker with administrative privileges can inject malicious commands into this setting, which are then executed by the server during ODT to PDF conversion processes. The vulnerability resides in htdocs/includes/odtphp/odf.php, where the application constructs a shell command using the unfiltered MAIN_ODT_AS_PDF value. Successful exploitation enables arbitrary command execution on the server, potentially leading to complete system compromise.

Attack Chain

The attacker gains administrative access to the Dolibarr instance, either through credential compromise or social engineering.
The attacker navigates to the “Home -> Setup -> Other Setup” section of the Dolibarr administration panel.
The attacker modifies the MAIN_ODT_AS_PDF configuration constant. The injected payload includes a command separator (;) followed by the malicious command. The example uses jodconverter; echo | base64 -d | bash.
The attacker navigates to the “Commerce -> New proposal” section.
The attacker creates a new proposal in draft status and selects an ODT template.
The attacker clicks the “Generate” button, triggering the ODT to PDF conversion process.
The application executes the crafted shell command, resulting in command execution.
In the proof of concept, the attacker establishes a reverse shell connection to their specified IP address (172.26.0.1) and port (4445), gaining interactive shell access.

Impact

Successful exploitation allows an attacker with administrator privileges to execute arbitrary commands on the underlying server as the web server user. This can lead to the compromise of sensitive data, modification of application files, and potentially full system compromise. The observed impact includes the establishment of a reverse shell, granting the attacker complete control over the Dolibarr instance. This vulnerability affects Dolibarr installations up to version 22.0.4.

Recommendation

Upgrade Dolibarr to a patched version beyond 22.0.4 to remediate CVE-2026-23500.
Monitor process creation events for commands executed with suspicious arguments in MAIN_ODT_AS_PDF by deploying the provided Sigma rules.
Monitor network connections to unusual external IP addresses originating from the web server, especially following events related to document generation. Block the C2 IP address 172.26.0.1 listed in the IOC table at the network perimeter.
Implement strict access controls and regularly audit administrator accounts to prevent unauthorized access to the Dolibarr configuration settings.

Dolibarr ERP-CRM 8.0.4 SQL Injection Vulnerability

hello@craftedsignal.io — Sun, 12 Apr 2026 13:16:34 +0000

Dolibarr ERP-CRM is a popular open-source enterprise resource planning and customer relationship management software. Version 8.0.4 of Dolibarr is susceptible to a critical SQL injection vulnerability (CVE-2019-25710) affecting the rowid parameter in the admin dict.php endpoint. This flaw allows unauthenticated attackers to inject malicious SQL code through the rowid POST parameter. Successful exploitation enables attackers to execute arbitrary SQL queries against the Dolibarr database, potentially leading to the exposure of sensitive information, modification of data, or complete compromise of the application. This vulnerability can be exploited using error-based SQL injection techniques.

Attack Chain

The attacker identifies a vulnerable Dolibarr ERP-CRM instance running version 8.0.4.
The attacker crafts a malicious HTTP POST request targeting the admin/dict.php endpoint.
The request includes the rowid parameter containing a SQL injection payload.
The server-side application processes the request and executes the injected SQL code within the database query.
The attacker leverages error-based SQL injection techniques to extract sensitive information from the database, such as user credentials, API keys, or financial data.
The attacker analyzes the error messages returned by the application to refine the SQL injection payload and bypass any security measures.
The attacker potentially uses the extracted credentials to gain unauthorized access to other parts of the application or the underlying system.

Impact

Successful exploitation of this SQL injection vulnerability can lead to severe consequences, including unauthorized access to sensitive data, data breaches, and complete compromise of the Dolibarr ERP-CRM system. The vulnerability allows attackers to extract sensitive database information, modify data, or potentially execute arbitrary code on the server. Given that ERP and CRM systems often contain critical business data, the impact can be significant for affected organizations.

Recommendation

Apply patches or upgrade to a secure version of Dolibarr ERP-CRM to remediate CVE-2019-25710.
Deploy the Sigma rule Detect Suspicious Dolibarr rowid Parameter SQL Injection Attempt to your SIEM to identify potential exploitation attempts against the admin/dict.php endpoint.
Monitor web server logs for unusual POST requests to admin/dict.php with suspicious characters or SQL keywords in the rowid parameter to detect potential attacks.
Implement web application firewall (WAF) rules to filter out malicious SQL injection payloads targeting the rowid parameter in admin/dict.php.

Dolibarr — CraftedSignal Threat Feed

Dolibarr OS Command Injection via MAIN_ODT_AS_PDF Configuration

Attack Chain

Impact

Recommendation

Dolibarr ERP-CRM 8.0.4 SQL Injection Vulnerability

Attack Chain

Impact

Recommendation