CVE-2026-22666 - Vulnerability Analysis
HighCVSS: 7.2Last Updated: April 7, 2026
Dolibarr ERP/CRM - Remote Code Execution
Published: April 7, 2026Updated: April 7, 2026PoC AvailableRemote Exploitable
Overview
Dolibarr ERP/CRM < 23.0.2 contains an authenticated remote code execution caused by improper forbidden string checks in dol_eval_standard() function allowing PHP dynamic callable syntax, letting administrators execute arbitrary commands remotely, exploit requires administrator privileges.
Severity & Score
Severity: High
CVSS Score: 7.2
Impact
Administrators can execute arbitrary code remotely, potentially leading to full system compromise.
Mitigation
Update to version 23.0.2 or later.
References
- https://github.com/Dolibarr/dolibarr/commit/6f425521b3e6f9f27eca05228e02093dbaa40dea
- https://github.com/Dolibarr/dolibarr/releases/tag/23.0.2
- https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-vmvw-qq8w-wqhg
- https://jivasecurity.com/writeups/dolibarr-remote-code-execution-cve-2026-22666
- https://www.vulncheck.com/advisories/dolibarr-erp-crm-authenticated-rce-via-dol-eval-standard
Related Resources
Details
- CVE ID
- CVE-2026-22666
- Severity
- High
- CVSS Score
- 7.2
- Type
- command_injection
- Status
- unconfirmed
CWE
- CWE-95
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H