CVE-2026-23500: Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration

April 17, 2026 (updated May 6, 2026)

An authenticated administrator can execute arbitrary operating system commands by injecting a malicious payload into the MAIN_ODT_AS_PDF configuration constant. This vulnerability exists because the application fails to properly validate or escape the command path before passing it to the exec() function in the ODT to PDF conversion process.

References

github.com/Dolibarr/dolibarr
github.com/Dolibarr/dolibarr/releases/tag/23.0.0
github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w
github.com/advisories/GHSA-w5j3-8fcr-h87w
nvd.nist.gov/vuln/detail/CVE-2026-23500

Code Behaviors & Features

Detect and mitigate CVE-2026-23500 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →