High severity8.8NVD Advisory· Published Apr 21, 2026· Updated Apr 23, 2026

CVE-2026-31018

Description

In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
dolibarr/dolibarrPackagist	<= 15.0.3	—

Affected products

Dolibarr/Dolibarr Erp\/crm
cpe:2.3:a:dolibarr:dolibarr_erp\/crm:*:*:*:*:*:*:*:*
Range: <=22.0.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/PhDg1410/CVE/blob/main/CVE-2026-31018/README.mdnvdThird Party AdvisoryWEB
github.com/advisories/GHSA-676v-wh57-p375ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-31018ghsaADVISORY
dolibarr.comnvdProductWEB
github.com/Dolibarr/dolibarr/commit/ba28d16da4cc0c221f49a878fecc8425501ceb96ghsaWEB
github.com/Dolibarr/dolibarr/releases/tag/23.0.0ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000