CVE-2026-31018
Received Received - Intake
PHP Code Injection via Inconsistent Permission in Dolibarr Website Module

Publication date: 2026-04-21

Last updated on: 2026-04-23

Assigner: MITRE

Description
In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31018
EUVD
EUVD-2026-24134
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dolibarr dolibarr_erp/crm to 22.0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31018 is a Remote Code Execution (RCE) vulnerability in the Website module of Dolibarr ERP/CRM versions up to and including 22.0.4.

The issue arises from improper permission validation during the creation of new web pages, allowing authenticated users with limited permissions (restricted to HTML/JavaScript editing) to inject PHP code through unprotected input parameters.

Specifically, users who should only be able to read or edit HTML/JavaScript content can bypass restrictions when creating pages from scratch or from a page template, enabling them to execute arbitrary PHP code.

Impact Analysis

This vulnerability can lead to unauthorized remote command execution on the server hosting the Dolibarr application.

An attacker exploiting this flaw could gain full control over the web application, allowing them to access sensitive data, modify or delete data, and potentially compromise the entire server environment.

Mitigation Strategies

To mitigate this vulnerability, you should restrict user permissions in the Dolibarr Website module to prevent users with only HTML/JavaScript editing rights from creating or editing pages in a way that allows PHP code injection.

  • Ensure that only trusted users have permission level 3 (Create/Edit dynamic content including PHP) or higher.
  • Avoid allowing users with permission level 1 (Read) or 2 (Create/Edit HTML/JavaScript) to create pages from scratch or from templates without additional validation.
  • Apply any available patches or updates from the vendor addressing this issue.

These steps help prevent unauthorized PHP code injection and remote code execution on the server.

Compliance Impact

This vulnerability allows unauthorized remote code execution, potentially leading to full compromise of the web application, unauthorized access to sensitive data, and data modification or deletion.

Such unauthorized access and data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict protection of personal and sensitive data.

Therefore, exploitation of this vulnerability could lead to violations of data protection requirements, risking legal and regulatory consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31018. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart