CVE-2012-10059 CRITICAL

CVE-2012-10059: Dolibarr ERP/CRM Post-Auth OS Command Injection

Vendor Dolibarr Project
Product ERP/CRM
Weakness CWE-78
Published August 13, 2025
Last update May 25, 2026

CVSS base score

9.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Dolibarr ERP/CRM versions <= 3.1.1 and <= 3.2.0 contain a post-authenticated OS command injection vulnerability in its database backup feature. The export.php script fails to sanitize the sql_compat parameter, allowing authenticated users to inject arbitrary system commands, resulting in remote code execution on the server.

Key dates

02Disclosure timeline

August 13, 2025 CVE published
May 25, 2026 Record updated