✅ Check your installed version
All known vulnerabilities
>= 16.0.1, < 16.0.3
from 0, < 14.0.1
from 0, <= 15.0.3
>= 13.0.2, < 14.0.0
CRITICAL9.8CVE-2019-19212Dolibarr Cross-site Scripting via the qty parameter in product/fournisseurs.php >= 3.0, <= 10.0.3
CRITICAL9.8CVE-2020-7995Dolibarr Improper Restriction of Excessive Authentication Attempts from 0, <= 4.0.4
CRITICAL9.8CVE-2017-7886Dolibarr SQL Injection in doli/theme/eldy/style.css.php via the lang parameter from 0, < 5.0.3
CRITICAL9.8CVE-2017-14238Dolibarr SQL injection vulnerability in admin/menus/edit.php from 0, < 6.0.1
CRITICAL9.8CVE-2017-14242Dolibarr SQL injection vulnerability in don/list.php from 0, < 6.0.1
CRITICAL9.8CVE-2017-17897Dolibarr SQL injection vulnerability in comm/multiprix.php from 0, < 6.0.5
CRITICAL9.8CVE-2017-17899Dolibarr SQL injection vulnerability in adherents/subscription/info.php from 0, < 6.0.5
CRITICAL9.8CVE-2017-17900Dolibarr SQL injection vulnerability in fourn/index.php from 0, < 6.0.5
from 0, < 7.0.2
CRITICAL9.8CVE-2018-13448Dolibarr SQL injection vulnerability in product/card.php >= 7.0.3, < 7.0.4
CRITICAL9.8CVE-2018-13447Dolibarr SQL injection vulnerability in product/card.php >= 7.0.3, < 7.0.4
CRITICAL9.8CVE-2018-13449Dolibarr SQL injection vulnerability in product/card.php >= 7.0.3, < 7.0.4
CRITICAL9.8CVE-2018-13450Dolibarr SQL injection vulnerability in product/card.php >= 7.0.3, < 7.0.4
CRITICAL9.8CVE-2018-16809Dolibarr SQL injection via the integer parameters qty and value_unit >= 3.8, <= 7.0.0
from 0, < 7.0.2
CRITICAL9.6CVE-2023-38888Cross Site Scripting vulnerability in Dolibarr ERP CRM from 0, < 17.0.1
CRITICAL9.1CVE-2026-23500Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration from 0, <= 22.0.4
CRITICAL9.1CVE-2024-5315Multiple vulnerabilities in DOLIBARR's ERP CMS from 0, <= 9.0.1
CRITICAL9.1CVE-2024-5314Multiple vulnerabilities in DOLIBARR's ERP CMS from 0, <= 9.0.1
>= 2.8.1, < 14.0.0
HIGH8.8CVE-2026-31019Dolibarr user with permission to edit PHP content can bypass filtering to restrict dangerous PHP functions from 0, <= 22.0.4
HIGH8.8CVE-2026-31018Dolibarr Allows Code Injection through its Website Module from 0, <= 15.0.3
HIGH8.8CVE-2025-56588Dolibarr vulnerable to RCE via the computed field parameter from 0, < 21.0.3
from 0, < 19.0.2
from 0, < 17.0.1
HIGH8.8CVE-2023-30253Dolibarr vulnerable to remote code execution via uppercase manipulation from 0, < 17.0.1
HIGH8.8CVE-2020-14209Dolibarr Unrestricted Upload of File with Dangerous Type from 0, < 11.0.5
HIGH8.8CVE-2020-14443Dolibarr SQL injection vulnerability in accountancy/customer/card.php from 0, < 11.0.5
from 0, < 12.0.0
HIGH8.8CVE-2020-11825Dolibarr Cross-Site Request Forgery Vulnerability from 0, <= 10.0.6
HIGH8.8CVE-2019-11200Dolibarr ERP and CRM malicious executable loading from 0, < 9.0.3
HIGH8.8CVE-2017-9840Dolibarr ERP and CRM Unsafe File Upload Vulnerability from 0, <= 5.0.3
HIGH8.8CVE-2017-9839Dolibarr SQL injection via type parameter in product/stats/card.php from 0, < 5.0.4
from 0, <= 7.0.0
HIGH8.8CVE-2018-19994Dolibarr error-based SQL injection vulnerability in product/card.php from 0, < 8.0.4
HIGH8.8CVE-2018-19998Dolibarr SQL injection vulnerability in user/card.php from 0, < 8.0.4
from 0, < 14.0.0
from 0, < 15.0.1
HIGH8.8CVE-2021-25957Weak Password Recovery Mechanism for Forgotten Password from 0, < 14.0.0
from 0, <= 14.0.5
HIGH8.2CVE-2019-25710Dolibarr has SQL injection vulnerability in the rowid parameter of the admin dict.php from 0, <= 8.0.4
>= 10.0, < 10.0.2
from 0, < 9.0.3
from 0, < 7.0.2
HIGH7.5CVE-2024-31503Dolibarr vulnerable to Cross-Site Request Forgery from 0, <= 19.0.0
HIGH7.5CVE-2023-4197Dolibarr ERP CRM (<= 18.0.1) Improper Input Sanitization Authenticated RCE from 0, < 18.0.2
HIGH7.5CVE-2023-33568Dolibarr vulnerable to unauthenticated database access >= 16.0.0, < 16.0.5
from 0, < 10.0.3
from 0, < 6.0.1
from 0, < 6.0.5
from 0, < 14.0.1
HIGH7.2CVE-2023-38886Dolibarr allows a remote privileged attacker to execute arbitrary code via a crafted command/script from 0, < 17.0.1
from 0, < 12.0.4
HIGH7.2CVE-2021-25956Improper User Access Control in "Dolibarr" Leads to Account Takeover >= 3.3.beta1, < 14.0.0
HIGH7.1CVE-2024-23817Dolibarr Application Home Page HTML injection vulnerability >= 18.0.4, < 18.0.7
MEDIUM6.8CVE-2024-29477Dolibarr ERP CRM Code Injection vulnerability during installation from 0, <= 19.0.0
MEDIUM6.8CVE-2017-8879Dolibarr allows password changes without supplying the current password MEDIUM6.5CVE-2026-34036Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php from 0, <= 22.0.4
MEDIUM6.5CVE-2023-4198Dolibarr ERP CRM (<= 17.0.3) Improper Access Control from 0, < 18.0.0
from 0, < 11.0.5
MEDIUM6.5CVE-2022-0731Improper Access Control (IDOR) in dolibarr/dolibarr from 0, < 16.0
from 0, <= 13.0.2
MEDIUM6.1CVE-2020-14475Dolibarr reflected cross-site scripting (XSS) vulnerability from 0, < 11.0.5
from 0, < 10.0.3
MEDIUM6.1CVE-2020-7994Dolibarr cross-site scripting (XSS) vulnerability from 0, < 11.0.1
MEDIUM6.1CVE-2017-7887Dolibarr ERP and CRM contain XSS Vulnerability from 0, <= 4.0.4
from 0, < 6.0.5
MEDIUM6.1CVE-2018-10095Dolibarr Cross-site scripting (XSS) vulnerability from 0, < 7.0.2
MEDIUM6.1CVE-2018-19993Dolibarr reflected cross-site scripting (XSS) vulnerability from 0, < 8.0.4
from 0, <= 8.0.3
MEDIUM6.1CVE-2018-16808Dolibarr Stored Cross-site Scripting in expensereport/card.php from 0, < 7.0.1
from 0, <= 10.0.6
from 0, < 10.0.2
MEDIUM5.5CVE-2024-40137Dolibarr ERP CRM vulnerable to remote code execution (RCE) from 0, < 19.0.2
MEDIUM5.4CVE-2023-5323Cross-site Scripting (XSS) - Generic in dolibarr/dolibarr from 0, < 18.0.0
MEDIUM5.4CVE-2022-2060Cross-site Scripting (XSS) - Stored in dolibarr/dolibarr from 0, < 16.0
MEDIUM5.4CVE-2020-13828Dolibarr stored Cross-Site Scripting (XSS) vulnerability from 0, <= 11.0.4
MEDIUM5.4CVE-2020-13239Dolibarr Stored Cross-site Scripting via file upload MEDIUM5.4CVE-2020-11823Dolibarr stored Cross-site Scripting vulnerability from 0, < 10.0.3
MEDIUM5.4CVE-2020-9016Dolibarr ERP and CRM contain XSS Vulnerability from 0, <= 11.0.0
from 0, <= 10.0.3
MEDIUM5.4CVE-2019-17576Dolibarr Cross-site Scripting via outgoing email setup feature MEDIUM5.4CVE-2019-17577Dolibarr Cross-site Scripting via outgoing email setup feature MEDIUM5.4CVE-2019-16687Dolibarr Cross-site Scripting in a User Profile in a Signature section MEDIUM5.4CVE-2019-16688Dolibarr stored Cross-site Scripting in an Email Template section MEDIUM5.4CVE-2019-16686Dolibarr Cross-site Scripting in a User Note section MEDIUM5.4CVE-2019-16685Dolibarr stored Cross-site Scripting vulnerability MEDIUM5.4CVE-2016-1912Dolibarr ERP and CRM contain XSS Vulnerabilities from 0, <= 3.8.3
from 0, < 6.0.1
MEDIUM5.4CVE-2017-14239Dolibarr cross-site scripting (XSS) vulnerability >= 6.0.0, < 6.0.1
from 0, < 7.0.0
from 0, <= 7.0.0
MEDIUM5.4CVE-2017-9838Dolibarr Cross-Site Scripting (XSS) vulnerability from 0, < 5.0.4
MEDIUM5.4CVE-2018-19995Dolibarr stored cross-site scripting (XSS) vulnerability from 0, < 8.0.4
MEDIUM5.4CVE-2018-19992Dolibarr stored cross-site scripting (XSS) vulnerability from 0, < 8.0.4
from 0, < 13.0.0
MEDIUM5.4CVE-2021-42220Dolibarr Cross Site Scripting (XSS) vulnerability from 0, < 14.0.3
from 0, < 11.0.4
from 0, <= 23.0.2
MEDIUM4.8CVE-2023-5842Cross-site Scripting (XSS) - Stored in dolibarr/dolibarr from 0, < 16.0.5
MEDIUM4.3CVE-2021-3991Improper Authorization in dolibarr/dolibarr from 0, < 15.0.0
from 0, < 16.0
MEDIUM4.3CVE-2022-0414Improper Validation of Specified Quantity in Input in dolibarr/dolibarr from 0, < 15.0
MEDIUM4.3CVE-2022-0174Improper Validation of Specified Quantity in Input in dolibarr/dolibarr from 0, < 15.0.0
>= 2.8.1, < 14.0.0
LOW3.7CVE-2026-7689Dolibarr has Insufficient Verification of Data Authenticity from 0, <= 15.0.3
from 0, < 19.0.2
—CVE-2015-3935Dolibarr ERP and CRM contain Cross-site Scripting Vulnerability >= 3.5.0, < 3.5.8