top of page
perceptive_background_267k.jpg

Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply f…

Published:

6 april 2026 om 22:00:00

Alert date:

7 april 2026 om 14:02:27

Source:

nvd.nist.gov

Click to open the original link from this advisory

Enterprise Applications, Web Technologies

Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function. The vulnerability occurs due to improper forbidden string checks in whitelist mode and failure to detect PHP dynamic callable syntax. Attackers with administrator privileges can exploit this by injecting malicious payloads through computed extrafields or other evaluation paths. The attack uses PHP dynamic callable syntax to bypass validation mechanisms. Successful exploitation leads to arbitrary command execution via eval() function. This represents a critical security flaw in the popular open-source ERP/CRM system.

Technical details

Mitigation steps:

Affected products:

Dolibarr ERP/CRM

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-22666
https://github.com/Dolibarr/dolibarr/commit/6f425521b3e6f9f27eca05228e02093dbaa40dea
https://github.com/Dolibarr/dolibarr/releases/tag/23.0.2
https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-vmvw-qq8w-wqhg
https://jivasecurity.com/writeups/dolibarr-remote-code-execution-cve-2026-22666
https://www.vulncheck.com/advisories/dolibarr-erp-crm-authenticated-rce-via-dol-eval-standard

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page