CVE-2026-22666

HighPublic PoCRCE

Published: 07 April 2026

Published

07 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0036 58.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22666 is a high-severity Eval Injection (CWE-95) vulnerability in Dolibarr Dolibarr Erp\/Crm. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation directly prevents exploitation by applying the vendor patch (version 23.0.2) that fixes the validation bypass in dol_eval_standard() allowing arbitrary code execution.

SI-10 Information Input Validation good match

prevent

Information input validation at system entry points neutralizes malicious payloads using PHP dynamic callable syntax that bypass whitelist checks to reach eval() execution.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability monitoring and scanning identifies Dolibarr versions prior to 23.0.2 vulnerable to this authenticated RCE, enabling proactive patching.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Authenticated RCE via eval() in a web app directly enables remote exploitation of public-facing software (T1190) and arbitrary command/script execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can…

inject malicious payloads through computed extrafields or other evaluation paths using PHP dynamic callable syntax to bypass validation and achieve arbitrary command execution via eval().

Deeper analysisAI

Dolibarr ERP/CRM versions prior to 23.0.2 are affected by CVE-2026-22666, an authenticated remote code execution vulnerability in the dol_eval_standard() function. This flaw occurs because the function fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax, allowing bypass of validation mechanisms. It is classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) and CWE-94 (Improper Control of Generation of Code), with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Attackers with administrator privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious payloads through computed extrafields or other evaluation paths that leverage PHP dynamic callable syntax, they can bypass whitelist protections and execute arbitrary commands via eval(), resulting in high-impact confidentiality, integrity, and availability violations on the affected system.

Mitigation involves upgrading to Dolibarr version 23.0.2, which addresses the issue through a specific commit (6f425521b3e6f9f27eca05228e02093dbaa40dea) that strengthens validation in dol_eval_standard(). Official advisories, including GHSA-vmvw-qq8w-wqhg, and third-party analyses from Jiva Security and VulnCheck recommend immediate patching for environments running vulnerable versions, as no workarounds are detailed beyond the update.

Details

CWE(s): CWE-95 CWE-94

Affected Products

dolibarr

dolibarr erp\/crm

≤ 23.0.2

CVEs Like This One

CVE-2026-23500Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2026-31018Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2025-56588Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2026-31019Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2024-55227Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2019-25452Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2019-25710Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2024-55228Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2019-25450Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2025-22906Shared CWE-94

References

https://github.com/Dolibarr/dolibarr/commit/6f425521b3e6f9f27eca05228e02093dbaa40dea
Patch · disclosure@vulncheck.com
https://github.com/Dolibarr/dolibarr/releases/tag/23.0.2
Release Notes · disclosure@vulncheck.com
https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-vmvw-qq8w-wqhg
Broken Link · disclosure@vulncheck.com
https://jivasecurity.com/writeups/dolibarr-remote-code-execution-cve-2026-22666
Exploit, Third Party Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/dolibarr-erp-crm-authenticated-rce-via-dol-eval-standard
Third Party Advisory, VDB Entry · disclosure@vulncheck.com