CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-58376

highCVSS 7.6covered by 1 sourcefirst seen 2026-06-30
Dolibarr through 23.0.3, fixed in commit 14db36e, contains a sql injection vulnerability that allows authenticated API users to exfiltrate arbitrary database contents by supplying malicious values to the sqlfilters query parameter in the setup dictionary and multicurrencies REST API endpoints. The affected endpoints in api_setup.class.php and api_multicurrencies.class.php validate sqlfilters only for balanced parentheses and rewrite matched triplets, allowing text placed outside the expected shape such as an appended UNION SELECT to be concatenated into the SQL WHERE clause unmodified, enabling retrieval of sensitive data including password hashes and API keys.

⚡ Watch CVE-2026-58376

Get an email if CVE-2026-58376 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-58376

CVE.org record

Embed the live status

CVE-2026-58376 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-58376 status](https://www.csirts.com/badge/CVE-2026-58376)](https://www.csirts.com/cve/CVE-2026-58376)