CVE-2026-31019
Published: 21 April 2026
Summary
CVE-2026-31019 is a high-severity OS Command Injection (CWE-78) vulnerability in Dolibarr Dolibarr Erp\/Crm. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates validation of PHP content inputs in the Website module to prevent bypass of blacklist filtering and block dangerous functions enabling OS command injection.
Requires timely identification, reporting, and correction of the specific flaw in Dolibarr's blacklist-based filtering, preventing RCE exploitation via patching.
Enforces least privilege to restrict PHP content editing permissions, mitigating risk from low-privileged authenticated users exploiting the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing web app (Dolibarr Website module) enables low-priv authenticated RCE via OS command injection by bypassing PHP function blacklist, directly mapping to T1190 (exploit public-facing app), T1068 (exploitation for priv esc), and T1059.004 (Unix Shell execution).
NVD Description
In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering,…
more
resulting in full remote code execution with the ability to execute arbitrary operating system commands on the server.
Deeper analysisAI
CVE-2026-31019 is a vulnerability in the Website module of Dolibarr ERP & CRM versions 22.0.4 and below. The issue arises from blacklist-based filtering designed to block dangerous PHP functions associated with system command execution. An authenticated user with permission to edit PHP content can bypass this filtering mechanism, resulting in full remote code execution (RCE) that allows arbitrary operating system commands on the server. The vulnerability is classified under CWE-78 (OS Command Injection) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires an authenticated attacker possessing low privileges, specifically permission to edit PHP content. The attack vector is network-based with low attack complexity and no user interaction needed. Upon success, the attacker achieves high impacts across confidentiality, integrity, and availability, enabling complete server compromise through arbitrary command execution.
Mitigation details are available in advisories referenced at http://dolibarr.com and https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31019/README.md. The vulnerability was published on 2026-04-21.
Details
- CWE(s)