Description
In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code execution with the ability to execute arbitrary operating system commands on the server.
Published: 2026-04-21
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

In Dolibarr ERP & CRM versions 22.0.4 and earlier, the Website module relies on a blacklist of PHP functions to prevent dangerous operations. An authenticated user granted permission to edit PHP content can sidestep this filtering, allowing execution of arbitrary system commands. This flaw enables a malicious actor to gain full code execution on the host server, compromising confidentiality, integrity, and availability of the entire system.

Affected Systems

Dolibarr ERP & CRM (Website module), specifically any installation using version 22.0.4 or earlier.

Risk and Exploitability

The vulnerability carries a high severity rating; the CVSS score of 8.8 indicates high severity, and the ability to execute arbitrary commands gives attackers complete control over the underlying operating system. No EPSS score is available, so precise exploitation probability is unknown. The flaw is not listed in the CISA KEV catalog, yet it remains a critical risk for any environment where users can edit PHP files without stringent controls.

Generated by OpenCVE AI on April 22, 2026 at 07:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official update to Dolibarr ERP & CRM to remove the vulnerability. If no update is yet available, upgrade to a version newer than 22.0.4.
  • Limit or remove permission for users to edit PHP content in the Website module until the patch is applied.
  • Configure the PHP runtime to disable dangerous functions such as system, exec, shell_exec, popen, and proc_open, and enforce a strict whitelist of allowed operations.

Generated by OpenCVE AI on April 22, 2026 at 07:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Website Module Bypass Enables Remote Code Execution in Dolibarr ERP & CRM

Wed, 22 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Title Authenticated Remote Code Execution via PHP Function Blacklist Bypass in Dolibarr Website Module
Weaknesses CWE-94

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Title Authenticated Remote Code Execution via PHP Function Blacklist Bypass in Dolibarr Website Module
Weaknesses CWE-78
CWE-94
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Dolibarr
Dolibarr dolibarr
Vendors & Products Dolibarr
Dolibarr dolibarr

Tue, 21 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code execution with the ability to execute arbitrary operating system commands on the server.
References

Subscriptions

Dolibarr Dolibarr
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-21T18:23:33.693Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31019

cve-icon Vulnrichment

Updated: 2026-04-21T18:23:22.402Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-21T15:16:36.560

Modified: 2026-04-21T19:16:16.997

Link: CVE-2026-31019

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T07:45:11Z

Weaknesses