Description
An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/actions_addupdatedelete.inc.php
Published: 2026-05-27
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can trigger arbitrary code execution by sending a crafted request to Dolibarr’s core actions file htdocs/core/actions_addupdatedelete.inc.php. This file is included by the ERP/CRM when certain administrative actions are performed, and the vulnerable code allows injection of executable PHP, giving the attacker full control over the affected server.

Affected Systems

Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and the 24.0.0-alpha releases are susceptible. The vulnerability resides in the core actions module included by the web application.

Risk and Exploitability

No EPSS score is available, and the flaw is not listed in CISA KEV. However, evidence from the description indicates that the likely attack vector involves sending an unauthenticated HTTP request to a publicly accessible PHP script. The lack of mitigating controls means that a successful exploit results in complete compromise of confidentiality, integrity, and availability of the affected system.

Generated by OpenCVE AI on May 27, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dolibarr to a patched release such as 22.0.5 or newer 24.0.0-rc1 that includes the fix.
  • If an immediate upgrade is not possible, remove or move the htdocs/core/actions_addupdatedelete.inc.php file out of the web root and restrict any remaining access to that directory.
  • As a temporary workaround, set restrictive file permissions on the actions module so it cannot be executed via web requests, and monitor logs for suspicious activity.

Generated by OpenCVE AI on May 27, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Dolibarr
Dolibarr dolibarr
Vendors & Products Dolibarr
Dolibarr dolibarr

Wed, 27 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Core Action in Dolibarr ERP/CRM

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/actions_addupdatedelete.inc.php
References

Subscriptions

Dolibarr Dolibarr
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-27T18:14:11.835Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37711

cve-icon Vulnrichment

Updated: 2026-05-27T18:14:07.402Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T15:16:26.760

Modified: 2026-05-27T20:03:09.937

Link: CVE-2026-37711

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T04:15:06Z

Weaknesses