CVE-2025-56588: 
PHP vulnerability analysis and mitigation

Dolibarr ERP & CRM version 21.0.1 contains a remote code execution (RCE) vulnerability in the User module configuration via the computed field parameter. The vulnerability was discovered in October 2025 and assigned CVE-2025-56588. The issue affects the User module's computed field feature and has been assigned a CVSS v3.1 base score of 8.8 (High) (NVD, Ubuntu).

The vulnerability exists in the computed field feature for user extra fields, which evaluates administrator-defined expressions when views are rendered. Faulty handling of these evaluated expressions can be abused to execute arbitrary code on the server during rendering. This vulnerability demonstrates a bypass of previous mitigations that were applied for CVE-2024-40137 (Research).

The vulnerability allows for code execution on the server with high severity impact. While it requires an administrator account on the application, successful exploitation could lead to complete system compromise with high impacts on confidentiality, integrity, and availability (Miggo).

A patch has been released to address this vulnerability through a commit (b03f30c7e27fb89dbfb15902dbf4619ae77f0f86) in the Dolibarr repository. Organizations running affected versions should upgrade to the patched version (Research).