PatchSiren cyber security CVE debrief
CVE-2026-31018 Dolibarr CVE debrief
CVE-2026-31018 is a high-severity vulnerability in Dolibarr ERP & CRM 22.0.4 and earlier. The vulnerability allows an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation. This issue arises from inconsistent application of PHP code detection and editing permission enforcement in the Website module.
- Vendor
- Dolibarr
- Product
- Dolibarr ERP & CRM
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-21
- Original CVE updated
- 2026-07-05
- Advisory published
- 2026-04-21
- Advisory updated
- 2026-07-05
Who should care
Administrators and users of Dolibarr ERP & CRM, especially those with Website module access, should be aware of this vulnerability. Given its high CVSS score of 8.8, priority should be given to applying the necessary patches or mitigations.
Technical summary
The vulnerability exists in Dolibarr ERP & CRM version 22.0.4 and earlier. It is caused by the inconsistent enforcement of PHP code detection and editing permissions in the Website module. An authenticated user with restricted access to HTML/JavaScript editing can exploit this vulnerability to inject PHP code through unprotected inputs when creating website pages. This issue arises from inconsistent application of PHP code detection and editing permission enforcement in the Website module, allowing potential code injection during website page creation.
Defensive priority
High priority should be given to addressing this vulnerability due to its high CVSS score and the potential for code injection.
Recommended defensive actions
- Apply the latest patches or updates provided by Dolibarr to address this vulnerability.
- Review and restrict Website module access permissions to ensure that only authorized users can create or edit website pages.
- Implement additional monitoring and logging to detect potential exploitation attempts.
- Consider applying compensating controls, such as web application firewalls, to help mitigate the risk.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record was published on 2026-04-21T15:16:36.443Z and was last modified on 2026-07-05T02:17:45.190Z. The NVD entry is currently Modified. The vulnerability has a CVSS score of 8.8 and a severity of HIGH.
Official resources
-
CVE-2026-31018 CVE record
CVE.org
-
CVE-2026-31018 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-21T15:16:36.443Z and has not been modified since then. The NVD entry is currently Modified.