Cyber Resilience

CVE-2026-31018

HighRCE

Published: 21 April 2026

Published
21 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0029 20.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31018 is a high-severity Code Injection (CWE-94) vulnerability in Dolibarr Dolibarr Erp\/Crm. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-31018 affects Dolibarr ERP & CRM versions 22.0.4 and earlier, specifically within the Website module. The vulnerability stems from inconsistent PHP code detection and editing permission enforcement across input parameters. This flaw enables an authenticated user, restricted to HTML/JavaScript editing, to inject PHP code through unprotected inputs during website page creation. It is rated 8.8 severity under CVSS 3.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-94 (Code Injection) and CWE-284 (Improper Access Control). The issue was published on 2026-04-21.

An attacker requires low-privilege authenticated access (PR:L) to exploit this remotely over the network (AV:N) with low complexity and no user interaction. By bypassing restrictions during page creation, they can inject and execute arbitrary PHP code, potentially leading to high-impact confidentiality, integrity, and availability compromises, such as data theft, modification, or denial of service on the affected system.

Advisories and further details are available from official sources including the Dolibarr website at http://dolibarr.com and a GitHub repository at https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31018/README.md, which security practitioners should consult for patch information and mitigation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected…

more

inputs during website page creation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

PHP code injection in public-facing web module (Website) allows authenticated low-priv users to achieve RCE, directly enabling exploitation of public apps (T1190), privilege escalation from restricted editor role (T1068), and web shell deployment (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22666Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2018-25357Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2026-31019Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2025-56588Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2019-25450Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2019-25710Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2026-23500Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2019-25452Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2024-55227Same product: Dolibarr Dolibarr Erp\/Crm
CVE-2025-67486Same product: Dolibarr Dolibarr Erp\/Crm

Affected Assets

dolibarr
dolibarr erp\/crm
≤ 22.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates all inputs in the Website module to detect and reject PHP code injections from restricted users.

prevent

Enforces consistent access permissions across all input parameters during website page creation to block unauthorized PHP injection.

prevent

Ensures authenticated users restricted to HTML/JavaScript editing lack privileges for PHP code execution or injection.

References