CVE-2026-31018
PHP Code Injection via Inconsistent Permission in Dolibarr Website Module
Publication date: 2026-04-21
Last updated on: 2026-04-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dolibarr | dolibarr_erp/crm | to 22.0.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31018 is a Remote Code Execution (RCE) vulnerability in the Website module of Dolibarr ERP/CRM versions up to and including 22.0.4.
The issue arises from improper permission validation during the creation of new web pages, allowing authenticated users with limited permissions (restricted to HTML/JavaScript editing) to inject PHP code through unprotected input parameters.
Specifically, users who should only be able to read or edit HTML/JavaScript content can bypass restrictions when creating pages from scratch or from a page template, enabling them to execute arbitrary PHP code.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized remote command execution on the server hosting the Dolibarr application.
An attacker exploiting this flaw could gain full control over the web application, allowing them to access sensitive data, modify or delete data, and potentially compromise the entire server environment.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should restrict user permissions in the Dolibarr Website module to prevent users with only HTML/JavaScript editing rights from creating or editing pages in a way that allows PHP code injection.
- Ensure that only trusted users have permission level 3 (Create/Edit dynamic content including PHP) or higher.
- Avoid allowing users with permission level 1 (Read) or 2 (Create/Edit HTML/JavaScript) to create pages from scratch or from templates without additional validation.
- Apply any available patches or updates from the vendor addressing this issue.
These steps help prevent unauthorized PHP code injection and remote code execution on the server.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized remote code execution, potentially leading to full compromise of the web application, unauthorized access to sensitive data, and data modification or deletion.
Such unauthorized access and data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict protection of personal and sensitive data.
Therefore, exploitation of this vulnerability could lead to violations of data protection requirements, risking legal and regulatory consequences.