Is Dolibarr ERP & CRM affected by EUVD-2026-24134?

Dolibarr ERP & CRM versions 22.0.4 and earlier contain a privilege escalation vulnerability (CVSS 8.8) that allows authenticated users with limited website editing permissions to execute arbitrary PHP code and compromise system integrity.

Dolibarr ERP & CRM EUVD-2026-24134

Q: How to fix EUVD-2026-24134?

Within 24 hours: Identify all Dolibarr deployments running version 22.0.4 or earlier and document which users have Website module access. Within 7 days: Audit Website module activity logs for suspicious PHP code injection attempts; immediately revoke Website module access for non-essential users pending mitigation. Within 30 days: Upgrade to the latest patched version when available from Dolibarr; if no patch is released, implement file-level access controls restricting PHP execution in website directories and disable Website module functionality for accounts not requiring it.

| CVE-2026-31018 HIGH

Code Injection (CWE-94)

2026-04-21 mitre

GHSA-676v-wh57-p375

PHP Code Injection RCE N A

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 21, 2026 - 16:26 vuln.today

CVSS changed

Apr 21, 2026 - 16:22 NVD

8.8 (HIGH)

DescriptionNVD

In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation.

AnalysisAI

Authenticated users with restricted HTML/JavaScript editing permissions in Dolibarr ERP & CRM 22.0.4 and earlier can escalate privileges to execute arbitrary PHP code via the Website module. The vulnerability exploits inconsistent permission enforcement across input parameters during website page creation, allowing low-privileged authenticated users to bypass intended restrictions and inject PHP code. …

RemediationAI

Within 24 hours: Identify all Dolibarr deployments running version 22.0.4 or earlier and document which users have Website module access. Within 7 days: Audit Website module activity logs for suspicious PHP code injection attempts; immediately revoke Website module access for non-essential users pending mitigation. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-24134 vulnerability details – vuln.today

Back

Dolibarr ERP & CRM EUVD-2026-24134

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code