CVE-2025-67486 | THREATINT

Description

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" field is passed to PHP's `eval()` function without adequate sanitization, allowing authenticated administrators to execute arbitrary PHP code on the server. As of time of publication, no patched versions are available.

PUBLISHED Reserved 2025-12-08 | Published 2026-05-08 | Updated 2026-05-08 | Assigner GitHub_M

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Product status

<= 22.0.2

affected

References

medium.com/...val-injection-in-user-extrafields-dfc305d0118e exploit

medium.com/...val-injection-in-user-extrafields-dfc305d0118e

github.com/.../blob/22.0.2/htdocs/core/lib/functions.lib.php

cve.org (CVE-2025-67486)

nvd.nist.gov (CVE-2025-67486)

Download JSON