CVE-2026-31018

HighRCE

Published: 21 April 2026

Published

21 April 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 12.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31018 is a high-severity Code Injection (CWE-94) vulnerability in Dolibarr Dolibarr Erp\/Crm. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates all inputs in the Website module to detect and reject PHP code injections from restricted users.

AC-3 Access Enforcement good match

prevent

Enforces consistent access permissions across all input parameters during website page creation to block unauthorized PHP injection.

AC-6 Least Privilege partial match

prevent

Ensures authenticated users restricted to HTML/JavaScript editing lack privileges for PHP code execution or injection.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1100 Web Shell Persistence

A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network.

attack.mitre.org →

Why these techniques?

PHP code injection in public-facing web module (Website) allows authenticated low-priv users to achieve RCE, directly enabling exploitation of public apps (T1190), privilege escalation from restricted editor role (T1068), and web shell deployment (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected…

inputs during website page creation.

Deeper analysisAI

CVE-2026-31018 affects Dolibarr ERP & CRM versions 22.0.4 and earlier, specifically within the Website module. The vulnerability stems from inconsistent PHP code detection and editing permission enforcement across input parameters. This flaw enables an authenticated user, restricted to HTML/JavaScript editing, to inject PHP code through unprotected inputs during website page creation. It is rated 8.8 severity under CVSS 3.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-94 (Code Injection) and CWE-284 (Improper Access Control). The issue was published on 2026-04-21.

An attacker requires low-privilege authenticated access (PR:L) to exploit this remotely over the network (AV:N) with low complexity and no user interaction. By bypassing restrictions during page creation, they can inject and execute arbitrary PHP code, potentially leading to high-impact confidentiality, integrity, and availability compromises, such as data theft, modification, or denial of service on the affected system.

Advisories and further details are available from official sources including the Dolibarr website at http://dolibarr.com and a GitHub repository at https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31018/README.md, which security practitioners should consult for patch information and mitigation guidance.

Details

CWE(s): CWE-94 CWE-284

Affected Products

dolibarr

dolibarr erp\/crm

≤ 22.0.4

CVEs Like This One

CVE-2026-22666Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2026-31019Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2025-56588Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2026-23500Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2024-55227Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2019-25452Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2019-25710Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2024-55228Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2019-25450Same product: Dolibarr Dolibarr Erp\/Crm

CVE-2025-57567Shared CWE-284, CWE-94

References

http://dolibarr.com
Product · cve@mitre.org
https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31018/README.md
Third Party Advisory · cve@mitre.org