Dolibarr ERP/CRM CVE-2026-37711
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/actions_addupdatedelete.inc.php
AnalysisAI
Code injection in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha allows a remote, unauthenticated attacker to execute attacker-controlled PHP through the htdocs/core/actions_addupdatedelete.inc.php request handler (CWE-94). The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates a low-effort, network-reachable, no-authentication attack, though all impact metrics are rated Low (C:L/I:L/A:L), suggesting the executable surface is constrained rather than full system takeover. There is no public exploit code confirmed in the provided data and the issue is not in CISA KEV (no observed exploitation per SSVC), but a referenced research write-up and a GitHub Security Advisory exist, and SSVC rates the flaw as automatable.
Technical ContextAI
The affected component, htdocs/core/actions_addupdatedelete.inc.php, is a shared Dolibarr action-dispatch include that processes add/update/delete operations across modules. The referenced research write-up ('dol_eval-five-years') points to Dolibarr's long-standing use of its internal dol_eval() expression-evaluation routine, which ultimately resolves user-influenced strings into executable PHP. CWE-94 (Improper Control of Generation of Code, i.e. code injection) describes the root cause: input that should be treated as data is instead incorporated into a code path that PHP evaluates, so an attacker who controls that input controls the code that runs. No CPE strings were supplied in the intelligence, so exact platform/configuration identifiers cannot be cross-referenced beyond the version ranges given.
Affected ProductsAI
Dolibarr ERP/CRM is affected in the stable 22.x branch from v22.0.0 through v22.0.4 inclusive, and in the pre-release v24.0.0-alpha. No CPE strings were included in the source data to further pin platform or edition. The authoritative vendor reference is the GitHub Security Advisory at https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-grw9-6m4w-mhcq, with additional technical detail in the research write-up at https://bryamzxz.github.io/2026/05/25/dol_eval-five-years/.
RemediationAI
Patch available per vendor advisory (GHSA-grw9-6m4w-mhcq); the exact fixed release version was not specified in the provided data, so consult the advisory at https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-grw9-6m4w-mhcq for the patched build and upgrade the 22.x series accordingly, and avoid running the 24.0.0-alpha pre-release in production. Until the patched version is applied, restrict network reachability of the Dolibarr instance to trusted users (place it behind VPN or an authenticating reverse proxy) and use WAF/proxy rules to block direct external requests to core/actions_addupdatedelete.inc.php and related action endpoints - the trade-off is that overly broad rules may break legitimate add/update/delete workflows, so test rules against normal module usage. Where feasible, tighten access controls and disable or lock down any module exposing the vulnerable action path; do not invent a fix version - apply the one named in the advisory.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today