CVE-2023-30253

HIGH

Dolibarr < 17.0.1 - Authenticated Remote Code Execution via Uppercase PHP Tag Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 10 public exploits for CVE-2023-30253. PoCs published by nikn0laty, dollarboysushil, Rubikcuv5, including Metasploit module exploits/unix/http/dolibarr_cms_rce_cve_2023_30253.

AI-analyzed exploit summary This is a functional exploit for CVE-2023-30253, targeting Dolibarr <= 17.0.0. It achieves remote code execution by injecting PHP code into a website page via authenticated API calls, resulting in a reverse shell.

Description

Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.

Exploits (10)

nomisec WORKING POC 41 stars
by nikn0laty · poc
https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253

This is a functional exploit for CVE-2023-30253, targeting Dolibarr <= 17.0.0. It achieves remote code execution by injecting PHP code into a website page via authenticated API calls, resulting in a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Dolibarr <= 17.0.0
Auth required
Prerequisites: Valid credentials for Dolibarr · Network access to the target · Listener set up for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 9 stars
by dollarboysushil · poc
https://github.com/dollarboysushil/Dolibarr-17.0.0-Exploit-CVE-2023-30253

This repository contains a working exploit for CVE-2023-30253, a remote code execution vulnerability in Dolibarr 17.0.0. The exploit leverages an uppercase manipulation technique to bypass PHP code injection filters, allowing authenticated users to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Dolibarr 17.0.0
Auth required
Prerequisites: Authenticated access to Dolibarr · Ability to create/modify websites and pages
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 6 stars
by Rubikcuv5 · poc
https://github.com/Rubikcuv5/cve-2023-30253

This PoC exploits CVE-2023-30253, an authenticated RCE vulnerability in Dolibarr ERP/CRM. It automates login, website/page creation, and payload injection via a malicious PHP section to execute system commands.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Dolibarr ERP/CRM (versions affected by CVE-2023-30253)
Auth required
Prerequisites: Valid credentials for Dolibarr admin panel · Access to the target's /website/index.php endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by g4nkd · poc
https://github.com/g4nkd/CVE-2023-30253-PoC

This PoC exploits CVE-2023-30253 in Dolibarr 17.0.0 by injecting PHP code into a website page via the CMS Website plugin, bypassing restrictions to achieve remote command execution. It authenticates, creates a site/page, injects a reverse shell payload, and triggers execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Dolibarr 17.0.0 with CMS Website plugin enabled
Auth required
Prerequisites: Authenticated access to Dolibarr · CMS Website plugin enabled · Network connectivity to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by andria-dev · poc
https://github.com/andria-dev/DolibabyPhp

This repository contains a functional exploit for CVE-2023-30253, an authenticated RCE vulnerability in Dolibarr ERP/CRM. The exploit bypasses PHP code sanitation by using mixed-case variations (e.g., 'PHP' or 'pHp') and provides multiple payload options including reverse shells and custom commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Dolibarr ERP/CRM (version affected by CVE-2023-30253)
Auth required
Prerequisites: Valid credentials for Dolibarr instance · Network access to target · PHP code execution permissions
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Jeanback1 · poc
https://github.com/Jeanback1/CVE-2023-30253-exploit

This repository contains a functional Python exploit for CVE-2023-30253, which leverages a case-sensitive PHP tag filtering bypass in Dolibarr ERP/CRM 17.0.0 to achieve remote code execution (RCE). The exploit automates the process of logging in, creating a website, injecting malicious PHP code using uppercase tags (e.g., <?PHP), and triggering execution via a crafted page.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Dolibarr ERP/CRM < 17.0.1
Auth required
Prerequisites: Authenticated user credentials · Website/CMS module enabled in Dolibarr
devstral-2 · analyzed May 30, 2026 Full analysis →
nomisec WORKING POC
by 1lkla · poc
https://github.com/1lkla/POC-exploit-for-Dolibarr

This is a functional exploit for CVE-2023-30253, targeting Dolibarr <= 17.0.0. It achieves remote code execution by injecting a PHP reverse shell into a dynamically created website page after authenticating as a valid user.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Dolibarr <= 17.0.0
Auth required
Prerequisites: Valid Dolibarr credentials · Network access to the target · Listener set up for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by bluetoothStrawberry · poc
https://github.com/bluetoothStrawberry/CVE-2023-30253

This exploit targets CVE-2023-30253, a PHP code injection vulnerability in Dolibarr 17.0.0. It authenticates with default credentials, creates a site and page, injects malicious PHP code, and triggers execution to achieve remote command execution via a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Dolibarr 17.0.0
Auth required
Prerequisites: Default credentials (admin/admin) · Network access to the target · Dolibarr 17.0.0 instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by 04Shivam · poc
https://github.com/04Shivam/CVE-2023-30253-Exploit

This PoC exploits an authenticated RCE vulnerability in Dolibarr CMS by creating a malicious website page with embedded PHP code that executes a base64-encoded reverse shell payload. It automates login, website/page creation, and payload delivery.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Dolibarr CMS (version not specified, likely <= 17.0)
Auth required
Prerequisites: Valid admin credentials · Network access to target · Listener setup for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Tinexta Cyber Offensive Security Team, Emanuele Cervelli · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/dolibarr_cms_rce_cve_2023_30253.rb

This Metasploit module exploits an authenticated PHP code injection vulnerability in Dolibarr ERP/CRM before 17.0.1. It bypasses a lowercase `<?php` tag filter by using uppercase variants (e.g., `<?PHP`) to inject arbitrary PHP code, achieving remote code execution when the page is rendered.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Dolibarr ERP/CRM < 17.0.1
Auth required
Prerequisites: Valid credentials for Dolibarr · Access to the Website module
devstral-2 · analyzed May 17, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.8918
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (2)
dolibarr/dolibarr 0 - 17.0.1Packagist
dolibarr/dolibarr_erp\/crm < 17.0.1
Published May 29, 2023
Tracked Since Feb 18, 2026