Dolibarr ERP/CRM is affected by SQL injection in versions prior to 5.0.4 via product/stats/card.php (type parameter).
dolibarr dolibarr erp\\/crm