logo

Database

OS Command Injection In dolibarr/dolibarr

Description

Dolibarr user with permission to edit PHP content can bypass filtering to restrict dangerous PHP functions In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code execution with the ability to execute arbitrary operating system commands on the server.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. CVE-2026-310192. NVD-2026-310193. OSV-2026-310194. GCVE-2026-31019

References

1. https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31019/README.md2. http://dolibarr.com

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.