Unrated severityNVD Advisory· Published May 27, 2026

CVE-2026-37713

Description

An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/class/commonobject.class.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2026-37713 allows remote attackers to execute arbitrary PHP code via a stored dol_eval() chain in Dolibarr ERP/CRM v22.0.0–v22.0.4 and v24.0.0-alpha.

Vulnerability

CVE-2026-37713 is a PHP code-execution vulnerability (CWE-95) in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha. The vulnerability resides in htdocs/core/class/commonobject.class.php, where a stored dol_eval() chain is reachable without authentication. The dol_eval() function wraps PHP's eval() using a blacklist-based approach, but this CVE bypasses the blacklist through a passive stored chain in the base business object class [1].

Exploitation

To exploit CVE-2026-37713, an attacker needs network access to the Dolibarr instance. No authentication is required because the vulnerable code path is triggered when processing stored data from extrafields, dynamic visibility rules, or menu permissions. The attacker can supply a crafted expression that, when evaluated by dol_eval() via the commonobject.class.php chain, results in execution of arbitrary PHP code [1].

Impact

Successful exploitation allows a remote attacker to execute arbitrary PHP code within the context of the web server. This leads to full information disclosure, data manipulation, and potential server compromise. Although OS command execution is blocked by the function-name deny-list in the dol_eval() wrapper, CVE-2026-37713 can be chained with CVE-2026-37712 (an OS command execution via call_user_func_array()) to achieve full remote code execution at the operating system level [1].

Mitigation

As of the publication date (2026-05-27), no patch is available for CVE-2026-37713. The Dolibarr project has historically addressed dol_eval() vulnerabilities through blacklist expansion rather than architectural changes, leaving the codebase perennially at risk. Users are advised to apply any future updates that remove or replace dol_eval() entirely, and to restrict network access to the Dolibarr instance as a workaround [1].

References

Dolibarr dol_eval(): Five Years of Partial Patches

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Dolibarr/Dolibarrinferred
Range: >=22.0.0,<=22.0.4 || =24.0.0-alpha
Dolibarr/Dolibarr ERP\/CRMllm-fuzzy
Range: v.22.0.0 through v.22.0.4 and v.24.0.0-alpha

Patches

88ad132763be

Clean code

https://github.com/dolibarr/dolibarrLaurent DestailleurMay 24, 2026Fixed in 22.0.5via release-tag

commit

1 file changed · +0 −2

dev/build/makepack-dolibarr.pl+0 −2 modified

@@ -243,8 +243,6 @@
 	$PROJVERSION = $MAJORVERSION . "." . $MINORVERSION;
 }
 
-print "xx".$PROJVERSION;
-
 ( $MAJOR, $MINOR, $BUILD ) = split( /\./, $PROJVERSION, 3 );
 if ( $MINOR eq '' ) { die "Error can't detect version"; }

Vulnerability mechanics

Root cause

"The supplied patch does not contain a security-relevant defect; it removes a debug print statement from a build script."

Attack vector

The CVE description claims a remote attacker can execute arbitrary code via `htdocs/core/class/commonobject.class.php`, but the supplied patch does not touch that file or any runtime code. The only change is a debug print removal from a build script. The bundle lacks any reference write-up, advisory, or PoC that explains how an attacker would reach the alleged vulnerable code path. No attack vector can be grounded on the supplied materials.

Affected code

The patch touches `dev/build/makepack-dolibarr.pl`, a build/ packaging script, not the `htdocs/core/class/commonobject.class.php` file cited in the CVE description. The change removes a debug `print "xx".$PROJVERSION;` statement. No code path in `commonobject.class.php` is shown by the supplied patch.

What the fix does

The patch [patch_id=2691376] removes a single debug `print "xx".$PROJVERSION;` line from `dev/build/makepack-dolibarr.pl`. This is a code-cleanup change with no security impact. The patch does not address any vulnerability in `htdocs/core/class/commonobject.class.php` or any other runtime component. No remediation for the claimed arbitrary code execution is present in the supplied bundle.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000