Which versions of PHP are affected by CVE-2026-22666?

Dolibarr ERP/CRM versions before 23.0.2 contain a remote code execution vulnerability that allows authenticated administrators to execute arbitrary system commands through unsafe input validation in…. A patch is available.

Is there a public PoC exploit available for CVE-2026-22666?

Yes, a public proof-of-concept exploit is available for CVE-2026-22666. Prioritise patching immediately. EPSS: 0.1%.

PHP CVE-2026-22666

Q: What is the CVSS score of CVE-2026-22666?

CVE-2026-22666 has a CVSS 4.0 base score of 8.6 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-19606 HIGH

Eval Injection (CWE-95)

2026-04-07 VulnCheck

GHSA-m6qg-6w6h-v59x

PHP RCE Code Injection

8.6

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 24, 2026 - 14:22 vuln.today

cvss_changed

PoC Detected

Apr 07, 2026 - 13:20 vuln.today

Public exploit code

EUVD ID Assigned

Apr 07, 2026 - 13:00 euvd

EUVD-2026-19606

Analysis Generated

Apr 07, 2026 - 13:00 vuln.today

Patch released

Apr 07, 2026 - 13:00 nvd

Patch available

CVE Published

Apr 07, 2026 - 12:41 nvd

HIGH 8.6

DescriptionNVD

Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can inject malicious payloads through computed extrafields or other evaluation paths using PHP dynamic callable syntax to bypass validation and achieve arbitrary command execution via eval().

AnalysisAI

Remote code execution in Dolibarr ERP/CRM versions prior to 23.0.2 allows authenticated administrators to execute arbitrary system commands by exploiting inadequate input validation in the dol_eval_standard() function. The vulnerability enables attackers to bypass security controls using PHP dynamic callable syntax through computed extrafields or other evaluation paths. …

RemediationAI

Within 24 hours: Inventory all Dolibarr deployments and identify instances running versions prior to 23.0.2; restrict administrative access to trusted personnel only and review recent admin account activity logs. Within 7 days: Upgrade all affected Dolibarr instances to version 23.0.2 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-22666 vulnerability details – vuln.today

Back

PHP CVE-2026-22666

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

PHP CVE-2026-22666

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code