Compliance Impact

This vulnerability allows an authenticated user with permission to edit PHP content to bypass blacklist-based filtering and execute arbitrary operating system commands on the server.

Such unauthorized remote code execution can lead to full compromise of the web application, including unauthorized access to sensitive data, data modification, or deletion.

As a result, organizations using affected versions of Dolibarr ERP & CRM may face risks of non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive personal and health information against unauthorized access and breaches.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-31019 is a Remote Code Execution (RCE) vulnerability in the Website module of Dolibarr ERP & CRM versions up to and including 22.0.4. The module allows authenticated users with permission to edit PHP content to create or modify dynamic web content using PHP code.

To prevent abuse, Dolibarr uses a blacklist-based filter that blocks dangerous PHP functions related to system command execution, such as eval, system, and shell_exec. However, this filtering relies on simple string matching and can be bypassed by attackers using obfuscation techniques like encoding, string concatenation, or indirect function calls.

By bypassing the blacklist, an attacker can inject and execute arbitrary PHP code, resulting in full remote code execution on the server.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated user with permission to edit PHP content to execute arbitrary operating system commands on the server hosting Dolibarr ERP & CRM.

The impact includes full compromise of the web application, unauthorized access to sensitive data, and the potential for data modification or deletion.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying attempts to bypass the blacklist-based filtering in the Dolibarr Website module by authenticated users editing PHP content.

Since the vulnerability is exploited by obfuscated PHP code that reconstructs or hides restricted functions at runtime, monitoring for unusual PHP code patterns or indirect function calls in the Website module's editable PHP content is recommended.

Commands to detect suspicious activity might include searching for PHP files or database entries containing obfuscated code patterns, such as string concatenation or encoded function names.

• Use grep or similar tools to search for suspicious PHP code patterns in the web content files or database exports, e.g., grep -rE '(eval|system|shell_exec)' --exclude-dir=vendor /path/to/dolibarr
• Monitor web server logs for unusual POST requests or edits to the Website module by authenticated users.
• Use PHP code analysis tools or scripts to detect indirect function calls or encoded strings that could reconstruct dangerous functions.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the Website module's PHP content editing functionality to only fully trusted users.

Since the blacklist-based filtering can be bypassed, disabling or limiting the ability to edit PHP code dynamically in the Website module is recommended.

Applying any available patches or updates from the Dolibarr vendor that address this vulnerability should be prioritized.

• Restrict permissions so only highly trusted administrators can edit PHP content.
• Disable or remove the ability to execute PHP code dynamically in the Website module if possible.
• Monitor and audit changes to PHP content for suspicious activity.

Useful 0 Not Useful 0