Nixpkgs security tracker

Untriaged

Permalink CVE-2026-23500

created 1 day ago

Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates the MAIN_ODT_AS_PDF configuration constant directly into a shell command passed to exec() without sanitization. An authenticated administrator can inject arbitrary OS commands via this constant using command separators, achieving remote code execution as the web server user when any ODT template is generated. This issue has been fixed in version 23.0.0.

References

https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w x_refsource_CONFIRM
https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0 x_refsource_MISC

Affected products

dolibarr

==< 23.0.0

Matching in nixpkgs

pkgs.dolibarr

Enterprise resource planning (ERP) and customer relationship manager (CRM) server

nixos-unstable 23.0.2
- nixpkgs-unstable 23.0.2
- nixos-unstable-small 23.0.2
nixos-25.11 22.0.4
- nixos-25.11-small 22.0.4
- nixpkgs-25.11-darwin 22.0.4

Package maintainers

@GaetanLepage Gaetan Lepage <gaetan@glepage.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.dolibarr

Package maintainers