SB20260420106 - Multiple vulnerabilities in dolibarr

Description

This security bulletin contains information about 2 vulnerabilities.

1) PHP file inclusion (CVE-ID: CVE-2026-34036)

CWE-ID: CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper control of filename for include statement in /core/ajax/selectobject.php when processing the objectdesc parameter. A remote user can send a specially crafted request to disclose sensitive information.

The issue is triggered before access control checks are performed, and the access control logic fails open when the features parameter is empty.

2) OS Command Injection (CVE-ID: CVE-2026-23500)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary operating system commands.

The vulnerability exists due to command injection in htdocs/includes/odtphp/odf.php when converting ODT documents to PDF using the MAIN_ODT_AS_PDF configuration constant. A remote privileged user can inject a malicious command path into the configuration value to execute arbitrary operating system commands.

Exploitation requires the Commercial Proposals module and ODT templates to be enabled.

Remediation

Install update from vendor's website.

References

• https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r
• https://github.com/advisories/GHSA-2mfj-r695-5h9r
• https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w
• https://github.com/advisories/GHSA-w5j3-8fcr-h87w