CVE-2026-34036 - Vulnerability Analysis
MediumCVSS: 6.5Last Updated: March 31, 2026
Dolibarr - Local File Inclusion
Published: March 31, 2026Updated: March 31, 2026PoC AvailableRemote Exploitable
Overview
Dolibarr <= 22.0.4 contains a local file inclusion caused by manipulation of the objectdesc parameter and a fail-open logic flaw in restrictedArea() in /core/ajax/selectobject.php, letting authenticated users with no specific privileges read arbitrary non-PHP files.
Severity & Score
Severity: Medium
CVSS Score: 6.5
Impact
Authenticated users can read arbitrary non-PHP files, potentially exposing sensitive configuration and data files.
Mitigation
Update to the latest version once patches are available.
References
Related Resources
Details
- CVE ID
- CVE-2026-34036
- Severity
- Medium
- CVSS Score
- 6.5
- Type
- path_traversal
- Status
- new
CWE
- CWE-98
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N