CVE-2026-31019
published 2026-04-21CVE-2026-31019: In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.63%
45.8th percentile
In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code execution with the ability to execute arbitrary operating system commands on the server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dolibarr | dolibarr | 0 – 22.0.4 | — |
| dolibarr | dolibarr_erp_crm | <= 22.0.4 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Dolibarr ERP CRM up to 22.0.4 Website permission (Nessus ID 310628)
vuldb·2026-04-28·CVSS 8.8
CVE-2026-31019 [HIGH] Dolibarr ERP CRM up to 22.0.4 Website permission (Nessus ID 310628)
A vulnerability categorized as critical has been discovered in Dolibarr ERP CRM up to 22.0.4. This affects an unknown part of the component Website Module. Executing a manipulation can lead to permission issues.
This vulnerability is tracked as CVE-2026-31019. The attack can be launched remotely. No exploit exists.
GHSA
GHSA-j2g9-rprv-hrhc: In the Website module of Dolibarr ERP & CRM 22
ghsa_unreviewed·2026-04-21
CVE-2026-31019 [HIGH] CWE-78 GHSA-j2g9-rprv-hrhc: In the Website module of Dolibarr ERP & CRM 22
In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code execution with the ability to execute arbitrary operating system commands on the server.
GHSA
Dolibarr user with permission to edit PHP content can bypass filtering to restrict dangerous PHP functions
ghsa·2026-04-21
CVE-2026-31019 [HIGH] CWE-78 Dolibarr user with permission to edit PHP content can bypass filtering to restrict dangerous PHP functions
Dolibarr user with permission to edit PHP content can bypass filtering to restrict dangerous PHP functions
In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code execution with the ability to execute arbitrary operating system commands on the server.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-21
Published