Skip to main content

Dolibarr ERP/CRM CVE-2026-37711

HIGH
Code Injection (CWE-94)
2026-05-27 cve@mitre.org
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:13 vuln.today

DescriptionCVE.org

An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/actions_addupdatedelete.inc.php

AnalysisAI

Code injection in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha allows a remote, unauthenticated attacker to execute attacker-controlled PHP through the htdocs/core/actions_addupdatedelete.inc.php request handler (CWE-94). The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates a low-effort, network-reachable, no-authentication attack, though all impact metrics are rated Low (C:L/I:L/A:L), suggesting the executable surface is constrained rather than full system takeover. There is no public exploit code confirmed in the provided data and the issue is not in CISA KEV (no observed exploitation per SSVC), but a referenced research write-up and a GitHub Security Advisory exist, and SSVC rates the flaw as automatable.

Technical ContextAI

The affected component, htdocs/core/actions_addupdatedelete.inc.php, is a shared Dolibarr action-dispatch include that processes add/update/delete operations across modules. The referenced research write-up ('dol_eval-five-years') points to Dolibarr's long-standing use of its internal dol_eval() expression-evaluation routine, which ultimately resolves user-influenced strings into executable PHP. CWE-94 (Improper Control of Generation of Code, i.e. code injection) describes the root cause: input that should be treated as data is instead incorporated into a code path that PHP evaluates, so an attacker who controls that input controls the code that runs. No CPE strings were supplied in the intelligence, so exact platform/configuration identifiers cannot be cross-referenced beyond the version ranges given.

Affected ProductsAI

Dolibarr ERP/CRM is affected in the stable 22.x branch from v22.0.0 through v22.0.4 inclusive, and in the pre-release v24.0.0-alpha. No CPE strings were included in the source data to further pin platform or edition. The authoritative vendor reference is the GitHub Security Advisory at https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-grw9-6m4w-mhcq, with additional technical detail in the research write-up at https://bryamzxz.github.io/2026/05/25/dol_eval-five-years/.

RemediationAI

Patch available per vendor advisory (GHSA-grw9-6m4w-mhcq); the exact fixed release version was not specified in the provided data, so consult the advisory at https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-grw9-6m4w-mhcq for the patched build and upgrade the 22.x series accordingly, and avoid running the 24.0.0-alpha pre-release in production. Until the patched version is applied, restrict network reachability of the Dolibarr instance to trusted users (place it behind VPN or an authenticating reverse proxy) and use WAF/proxy rules to block direct external requests to core/actions_addupdatedelete.inc.php and related action endpoints - the trade-off is that overly broad rules may break legitimate add/update/delete workflows, so test rules against normal module usage. Where feasible, tighten access controls and disable or lock down any module exposing the vulnerable action path; do not invent a fix version - apply the one named in the advisory.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-37711 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy