{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-31018", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-21T15:31:23.441Z", "dateReserved": "2026-03-09T00:00:00.000Z", "datePublished": "2026-04-21T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-21T14:12:36.903Z"}, "descriptions": [{"lang": "en", "value": "In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://dolibarr.com"}, {"url": "https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31018/README.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T15:30:39.381217Z", "id": "CVE-2026-31018", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T15:31:23.441Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31018", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T15:30:39.381217Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T15:28:02.956Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://dolibarr.com"}, {"url": "https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31018/README.md"}], "descriptions": [{"lang": "en", "value": "In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-21T14:12:36.903Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31018", "state": "PUBLISHED", "dateUpdated": "2026-04-21T15:31:23.441Z", "dateReserved": "2026-03-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-21T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dolibarr:dolibarr_erp\\/crm:*:*:*:*:*:*:*:*", "matchCriteriaId": "3BAE3269-374D-425C-B943-C4DA4494F7BF", "versionEndIncluding": "22.0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation."}], "id": "CVE-2026-31018", "lastModified": "2026-04-23T16:15:59.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-21T15:16:36.443", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "http://dolibarr.com"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31018/README.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,22.0.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "dolibarr_erp/crm", "vendor": "dolibarr"}], "analysis": {"en": {"generated_at": "2026-04-21T23:13:56.819354+00:00", "value": {"mitigation_remediation": ["Upgrade Dolibarr to the latest release that includes a fix for the PHP injection flaw, or apply the vendor\u2019s patch once it becomes available.", "Remove or restrict the Website module permission that allows users to edit HTML/JavaScript unless absolutely necessary; lock the role to read-only or no edit privileges.", "Configure the web server to disable PHP code execution in the directory where website pages are stored, or enforce server-side input sanitization to strip PHP opening tags before storage.", "As a temporary measure, deploy a web-application firewall rule that blocks payloads containing \"<?php\" or related PHP code in website page submissions."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Dolibarr ERP & CRM software versions up to and including 22.0.4 are affected. No other vendor or product information is explicitly listed. Users running earlier or later releases of Dolibarr are not impacted.", "description_and_impact": "The vulnerability allows an authenticated user with limited permissions in the Dolibarr Website module to inject arbitrary PHP code through unprotected inputs during page creation. Because the permission checks are not applied consistently to all input parameters, the injected PHP can be executed on the server, providing the attacker with full remote code execution capabilities on the affected Dolibarr installation. This leads to a complete compromise of confidentiality, integrity and availability of the underlying web application and any data it manages.", "risk_and_exploitability": "The vulnerability\u2019s impact is Remote Code Execution. The CVSS score is 8.8, indicating a high severity level. Exploitation requires only an authenticated Dolibarr account that has access to the Website module and the HTML/JavaScript editing permission; it does not require elevated system privileges. Since no EPSS information or KEV listing is available, the likelihood of exploitation is unknown, but the potential damage is severe. No official patch or workaround is listed."}}}}, "created": "2026-04-21T23:15:03.129284+00:00", "title": "Authenticated Users Can Inject PHP Code in Dolibarr Website Module", "updated": "2026-04-22T11:47:07.595381+00:00", "vendors": ["dolibarr", "dolibarr$PRODUCT$dolibarr_erp/crm"], "weaknesses": ["CWE-284", "CWE-94"]}