CVE-2026-7688: SQL Injection in Dolibarr ERP CRM
A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AI Analysis
Technical Summary
This vulnerability exists in Dolibarr ERP CRM versions 23.0.0 through 23.0.2 within the _checkValForAPI function of the htdocs/expedition/class/expedition.class.php file, specifically in the Shipments API Endpoint. By manipulating the argument fields, an attacker can perform SQL injection remotely. The attack complexity is high, and no privileges or user interaction are required. The CVSS 4.0 vector indicates network attack vector, high complexity, low privileges, no user interaction, and low impact on confidentiality, integrity, and availability. The vendor has not issued a fix or advisory, and no patch links are available.
Potential Impact
Successful exploitation could allow an attacker to execute unauthorized SQL commands on the backend database via the Shipments API Endpoint. However, the low CVSS score and high attack complexity suggest limited practical impact. There are no reports of active exploitation in the wild. The vulnerability could potentially lead to data exposure or modification but requires significant effort to exploit.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded or released a fix, users should monitor official Dolibarr channels for updates. Until a patch is available, consider restricting access to the Shipments API Endpoint or applying additional input validation and filtering at the application or network level to reduce exposure.
CVE-2026-7688: SQL Injection in Dolibarr ERP CRM
Description
A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS v4.0
Score 2.3low
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability exists in Dolibarr ERP CRM versions 23.0.0 through 23.0.2 within the _checkValForAPI function of the htdocs/expedition/class/expedition.class.php file, specifically in the Shipments API Endpoint. By manipulating the argument fields, an attacker can perform SQL injection remotely. The attack complexity is high, and no privileges or user interaction are required. The CVSS 4.0 vector indicates network attack vector, high complexity, low privileges, no user interaction, and low impact on confidentiality, integrity, and availability. The vendor has not issued a fix or advisory, and no patch links are available.
Potential Impact
Successful exploitation could allow an attacker to execute unauthorized SQL commands on the backend database via the Shipments API Endpoint. However, the low CVSS score and high attack complexity suggest limited practical impact. There are no reports of active exploitation in the wild. The vulnerability could potentially lead to data exposure or modification but requires significant effort to exploit.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since the vendor has not responded or released a fix, users should monitor official Dolibarr channels for updates. Until a patch is available, consider restricting access to the Shipments API Endpoint or applying additional input validation and filtering at the application or network level to reduce exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-05-02T16:27:22.949Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f71a9bcbff5d8610e3b40c
Added to database: 5/3/2026, 9:51:23 AM
Last enriched: 5/11/2026, 2:10:27 AM
Last updated: 6/17/2026, 4:01:31 PM
Views: 108
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.