PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31018 Dolibarr CVE debrief

CVE-2026-31018 is a high-severity vulnerability in Dolibarr ERP & CRM 22.0.4 and earlier. The vulnerability allows an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation. This issue arises from inconsistent application of PHP code detection and editing permission enforcement in the Website module.

Vendor
Dolibarr
Product
Dolibarr ERP & CRM
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-21
Original CVE updated
2026-07-05
Advisory published
2026-04-21
Advisory updated
2026-07-05

Who should care

Administrators and users of Dolibarr ERP & CRM, especially those with Website module access, should be aware of this vulnerability. Given its high CVSS score of 8.8, priority should be given to applying the necessary patches or mitigations.

Technical summary

The vulnerability exists in Dolibarr ERP & CRM version 22.0.4 and earlier. It is caused by the inconsistent enforcement of PHP code detection and editing permissions in the Website module. An authenticated user with restricted access to HTML/JavaScript editing can exploit this vulnerability to inject PHP code through unprotected inputs when creating website pages. This issue arises from inconsistent application of PHP code detection and editing permission enforcement in the Website module, allowing potential code injection during website page creation.

Defensive priority

High priority should be given to addressing this vulnerability due to its high CVSS score and the potential for code injection.

Recommended defensive actions

  • Apply the latest patches or updates provided by Dolibarr to address this vulnerability.
  • Review and restrict Website module access permissions to ensure that only authorized users can create or edit website pages.
  • Implement additional monitoring and logging to detect potential exploitation attempts.
  • Consider applying compensating controls, such as web application firewalls, to help mitigate the risk.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-04-21T15:16:36.443Z and was last modified on 2026-07-05T02:17:45.190Z. The NVD entry is currently Modified. The vulnerability has a CVSS score of 8.8 and a severity of HIGH.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-21T15:16:36.443Z and has not been modified since then. The NVD entry is currently Modified.