CVE-2026-31019

HIGH8.8EPSS 0.12%

Dolibarr user with permission to edit PHP content can bypass filtering to restrict dangerous PHP functions

發布日:2026/4/21修改日:2026/5/5

描述

In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code execution with the ability to execute arbitrary operating system commands on the server.

受影響套件(1)

Packagist/dolibarr/dolibarrfrom 0, <= 22.0.4

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-31019
PATCHhttps://github.com/Dolibarr/dolibarr
WEBhttp://dolibarr.com
WEBhttps://github.com/PhDg1410/CVE/blob/main/CVE-2026-31019/README.md