CVE-2026-7688

MEDIUM

Dolibarr ERP CRM Shipments API Endpoint expedition.class.php _checkValForAPI sql injection

Title source: cna

Description

A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (3)

Core 3

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-360858 | Dolibarr ERP CRM Shipments API Endpoint expedition.class.php _checkValForAPI sql injection

https://vuldb.com/vuln/360858

Signature, Permissions Required signature permissions-required

VDB-360858 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/360858/cti

Third Party Advisory third-party-advisory

Submit #799337 | Dolibarr Dolibarr ERP CRM 23.0.2 and earlier SQL Injection

https://vuldb.com/submit/799337

Scores

CVSS v3 5.0

EPSS 0.0002

EPSS Percentile 7.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-74 CWE-89

Status published

Products (4)

dolibarr/dolibarr 0 - 23.0.2Packagist

Dolibarr/ERP CRM 23.0.0

Dolibarr/ERP CRM 23.0.1

Dolibarr/ERP CRM 23.0.2

Published May 03, 2026

Tracked Since May 03, 2026