CVE-2026-31018
published 2026-04-21CVE-2026-31018: In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input…
PriorityP349high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.29%
20.6th percentile
In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dolibarr | dolibarr | 0 – 15.0.3 | — |
| dolibarr | dolibarr_erp_crm | <= 22.0.4 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-676v-wh57-p375: In Dolibarr ERP & CRM <= 22
ghsa_unreviewed·2026-04-21
CVE-2026-31018 [HIGH] CWE-94 GHSA-676v-wh57-p375: In Dolibarr ERP & CRM <= 22
In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation.
GHSA
Dolibarr Allows Code Injection through its Website Module
ghsa·2026-04-21
CVE-2026-31018 [HIGH] CWE-94 Dolibarr Allows Code Injection through its Website Module
Dolibarr Allows Code Injection through its Website Module
In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation.
A patch is available at https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-21
Published