Unrated severityNVD Advisory· Published May 27, 2026

CVE-2026-37711

Description

An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/actions_addupdatedelete.inc.php

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2026-37711 allows remote attackers to execute arbitrary PHP code via a dol_eval() call in Dolibarr ERP/CRM htdocs/core/actions_addupdatedelete.inc.php, affecting versions 22.0.0 through 22.0.4 and 24.0.0-alpha.

Vulnerability

Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha contain a PHP code injection vulnerability (CWE-94) in the dol_eval() function, invoked via the file htdocs/core/actions_addupdatedelete.inc.php. The vulnerability arises because user-supplied input is passed to dol_eval(), a wrapper around PHP's eval(), without adequate sanitization. The code path is reachable by default in the stable 22.x series; in the 24.0.0-alpha branch, reachability depends on the specific configuration. The dol_eval() function employs a blacklist of forbidden functions and characters, but this blacklist has been repeatedly bypassed over the years, as documented in the reference [1].

Exploitation

An unauthenticated remote attacker can trigger the vulnerable code path by sending crafted HTTP requests to the affected endpoint. The attacker does not require any prior authentication or special privileges. The exploitation sequence involves injecting PHP code into a parameter that is subsequently evaluated by dol_eval(). While the blacklist may block certain function names (e.g., exec, system), other PHP functions remain available, and the attacker can leverage chained vulnerabilities (such as CVE-2026-37712) to achieve OS-level command execution once arbitrary PHP code execution is obtained [1]. No user interaction is required.

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code in the context of the web server. This can lead to full compromise of the Dolibarr instance, including disclosure of sensitive data (e.g., database credentials, user information), modification or deletion of records, and, when chained with additional primitives, execution of arbitrary operating system commands. The impact is rated as critical, with a high CVSS score (not explicitly stated but implied by the nature of the vulnerability). The attacker effectively gains the same privileges as the web server user, which can be elevated through further attacks [1].

Mitigation

As of the publication date of the reference (May 25, 2026), no official patch or updated version addressing CVE-2026-37711 has been released by Dolibarr. The vendor has historically addressed such issues by expanding the blacklist in dol_eval(), but this pattern has proven insufficient. Users are advised to monitor the Dolibarr project for a future release that incorporates a more robust solution (e.g., removing eval() entirely or shifting to a sandboxed expression parser). Until a fix is available, restricting network access to the Dolibarr instance and applying web application firewall (WAF) rules to block suspicious input may serve as partial mitigation. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].

References

Dolibarr dol_eval(): Five Years of Partial Patches

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Dolibarr/Dolibarrinferred
Range: >=22.0.0,<=22.0.4 || =24.0.0-alpha
Dolibarr/Dolibarr ERP\/CRMllm-fuzzy
Range: >=22.0.0 <=22.0.4, v.24.0.0-alpha

Patches

88ad132763be

Clean code

https://github.com/dolibarr/dolibarrLaurent DestailleurMay 24, 2026Fixed in 22.0.5via release-tag

commit

1 file changed · +0 −2

dev/build/makepack-dolibarr.pl+0 −2 modified

@@ -243,8 +243,6 @@
 	$PROJVERSION = $MAJORVERSION . "." . $MINORVERSION;
 }
 
-print "xx".$PROJVERSION;
-
 ( $MAJOR, $MINOR, $BUILD ) = split( /\./, $PROJVERSION, 3 );
 if ( $MINOR eq '' ) { die "Error can't detect version"; }

Vulnerability mechanics

Root cause

"The root cause is not identifiable from the supplied bundle — the patch only cleans a debug print in a build script, and the advisory does not describe the underlying defect in the vulnerable file."

Attack vector

The advisory states that a remote attacker can execute arbitrary code via `htdocs/core/actions_addupdatedelete.inc.php` in Dolibarr versions 22.0.0 through 22.0.4 and 24.0.0-alpha. The exact attack vector is not detailed in the supplied bundle — no payload shape, network path, or preconditions are described. The patch provided does not address the runtime code path, so the mechanism remains unspecified by the available materials.

Affected code

The patch modifies `dev/build/makepack-dolibarr.pl`, a build/ packaging script, not runtime application code. The vulnerability is described as affecting `htdocs/core/actions_addupdatedelete.inc.php`, but the supplied patch does not touch that file.

What the fix does

The supplied patch [patch_id=2691378] removes a debug `print "xx".$PROJVERSION;` line from the build script `dev/build/makepack-dolibarr.pl`. This change does not address the reported vulnerability in `htdocs/core/actions_addupdatedelete.inc.php`. No remediation for the actual code-execution flaw is present in the bundle; the advisory does not specify a fix.

Preconditions

networkThe attacker must be able to reach the vulnerable `htdocs/core/actions_addupdatedelete.inc.php` endpoint over the network.
configThe target must be running Dolibarr v.22.0.0 through v.22.0.4 or v.24.0.0-alpha.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000