2 vulnerabilities scored HIGH or above on May 23, 2026.
- HIGH: 2
[HIGH] dolibarr/dolibarr_erp_crm
CVE-2018-25357 | CVSS 9.3
Dolibarr ERP CRM versions 7.0.3 and earlier are vulnerable to unauthenticated remote code execution through the installation script, with a CVSS score of 9.3. Attackers can inject arbitrary PHP code via the db_name parameter in install/step1.php and execute commands through the check.php endpoint without authentication. Organizations running Dolibarr should immediately upgrade to patched versions, restrict web access to installation directories, and review access logs for exploitation attempts.
[HIGH] userspice/userspice
CVE-2018-25350 | CVSS 9.3
userSpice 4.3.24 is vulnerable to username enumeration through the existingUsernameCheck.php endpoint, allowing unauthenticated attackers to discover valid user accounts with a CVSS score of 9.3. Attackers can submit usernames and analyze response text for the ’taken’ string to systematically identify existing accounts, enabling targeted credential attacks and social engineering campaigns. Organizations running userSpice should upgrade to patched versions, implement rate limiting on the username check endpoint, and monitor for automated enumeration attempts.