Cyber Resilience

CVE-2026-22666

HighPublic PoCRCE

Published: 07 April 2026

Published
07 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1553 96.4th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-22666 is a high-severity Eval Injection (CWE-95) vulnerability in Dolibarr Dolibarr Erp\/Crm. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

Dolibarr ERP/CRM versions prior to 23.0.2 are affected by CVE-2026-22666, an authenticated remote code execution vulnerability in the dol_eval_standard() function. This flaw occurs because the function fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax, allowing bypass of validation mechanisms. It is classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) and CWE-94 (Improper Control of Generation of Code), with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Attackers with administrator privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious payloads through computed extrafields or other evaluation paths that leverage PHP dynamic callable syntax, they can bypass whitelist protections and execute arbitrary commands via eval(), resulting in high-impact confidentiality, integrity, and availability violations on the affected system.

Mitigation involves upgrading to Dolibarr version 23.0.2, which addresses the issue through a specific commit (6f425521b3e6f9f27eca05228e02093dbaa40dea) that strengthens validation in dol_eval_standard(). Official advisories, including GHSA-vmvw-qq8w-wqhg, and third-party analyses from Jiva Security and VulnCheck recommend immediate patching for environments running vulnerable versions, as no workarounds are detailed beyond the update.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can…

more

inject malicious payloads through computed extrafields or other evaluation paths using PHP dynamic callable syntax to bypass validation and achieve arbitrary command execution via eval().

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Authenticated RCE via eval() in a web app directly enables remote exploitation of public-facing software (T1190) and arbitrary command/script execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23500Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2026-31018Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2018-25357Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2025-56588Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2019-25710Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2019-25450Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2019-25452Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2026-31019Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2024-55227Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2024-55228Same product: Dolibarr Dolibarr Erp\/Crm

Affected Assets

dolibarr
dolibarr erp\/crm
≤ 23.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly prevents exploitation by applying the vendor patch (version 23.0.2) that fixes the validation bypass in dol_eval_standard() allowing arbitrary code execution.

prevent

Information input validation at system entry points neutralizes malicious payloads using PHP dynamic callable syntax that bypass whitelist checks to reach eval() execution.

detect

Vulnerability monitoring and scanning identifies Dolibarr versions prior to 23.0.2 vulnerable to this authenticated RCE, enabling proactive patching.

References