CVE-2018-25357
Severity CVSS v4.0:
CRITICAL
Type:
CWE-94
Code Injection
Publication date:
23/05/2026
Last modified:
17/06/2026
Description
Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter.
Impact
Base Score 4.0
9.30
Severity 4.0
CRITICAL
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:dolibarr:dolibarr_erp\/crm:*:*:*:*:*:*:*:* | 7.0.3 (including) |
To consult the complete list of CPE names with products and versions, see this page



