Description
In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation.
Published: 2026-04-21
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability allows an authenticated user with limited permissions in the Dolibarr Website module to inject arbitrary PHP code through unprotected inputs during page creation. Because the permission checks are not applied consistently to all input parameters, the injected PHP can be executed on the server, providing the attacker with full remote code execution capabilities on the affected Dolibarr installation. This leads to a complete compromise of confidentiality, integrity and availability of the underlying web application and any data it manages.

Affected Systems

Dolibarr ERP & CRM software versions up to and including 22.0.4 are affected. No other vendor or product information is explicitly listed. Users running earlier or later releases of Dolibarr are not impacted.

Risk and Exploitability

The vulnerability’s impact is Remote Code Execution. The CVSS score is 8.8, indicating a high severity level. Exploitation requires only an authenticated Dolibarr account that has access to the Website module and the HTML/JavaScript editing permission; it does not require elevated system privileges. Since no EPSS information or KEV listing is available, the likelihood of exploitation is unknown, but the potential damage is severe. No official patch or workaround is listed.

Generated by OpenCVE AI on April 21, 2026 at 23:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dolibarr to the latest release that includes a fix for the PHP injection flaw, or apply the vendor’s patch once it becomes available.
  • Remove or restrict the Website module permission that allows users to edit HTML/JavaScript unless absolutely necessary; lock the role to read-only or no edit privileges.
  • Configure the web server to disable PHP code execution in the directory where website pages are stored, or enforce server-side input sanitization to strip PHP opening tags before storage.
  • As a temporary measure, deploy a web-application firewall rule that blocks payloads containing "<?php" or related PHP code in website page submissions.

Generated by OpenCVE AI on April 21, 2026 at 23:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Dolibarr
Dolibarr dolibarr Erp/crm
Vendors & Products Dolibarr
Dolibarr dolibarr Erp/crm

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Title Authenticated Users Can Inject PHP Code in Dolibarr Website Module

Tue, 21 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-94
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation.
References

Subscriptions

Dolibarr Dolibarr Erp/crm
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-21T15:31:23.441Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31018

cve-icon Vulnrichment

Updated: 2026-04-21T15:28:02.956Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T15:16:36.443

Modified: 2026-04-21T16:20:24.180

Link: CVE-2026-31018

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:47:07Z

Weaknesses