logo

Database

Lack of data validation In dolibarr/dolibarr

Description

Dolibarr Allows Code Injection through its Website Module In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation.

A patch is available at https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. CVE-2026-310182. NVD-2026-310183. OSV-2026-310184. GCVE-2026-31018

References

1. https://github.com/Dolibarr/dolibarr/commit/ba28d16da4cc0c221f49a878fecc8425501ceb962. https://github.com/Dolibarr/dolibarr/releases/tag/23.0.03. https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31018/README.md4. http://dolibarr.com

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.