CVE-2026-22666
Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function t
CVSS
7.2
Alto
EPSS
15.5%
p96
KEV
—
Exploit Today
29
0-100
Publicado: 7 abr 2026 · Última mod.: 14 jul 2026 · CWE-95 · CWE-94
15.5%EPSS · 30 días15.5%
2026-06-302026-07-16
Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can inject malicious payloads through computed extrafields or other evaluation paths using PHP dynamic callable syntax to bypass validation and achieve arbitrary command execution via eval().
- github.comhttps://github.com/Dolibarr/dolibarr/commit/6f425521b3e6f9f27eca05228e02093dbaa40dea
- github.comhttps://github.com/Dolibarr/dolibarr/releases/tag/23.0.2
- github.comhttps://github.com/Dolibarr/dolibarr/security/advisories/GHSA-vmvw-qq8w-wqhg
- jivasecurity.comhttps://jivasecurity.com/writeups/dolibarr-remote-code-execution-cve-2026-22666
- www.vulncheck.comhttps://www.vulncheck.com/advisories/dolibarr-erp-crm-authenticated-rce-via-dol-eval-standard
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2025-32489.8 CRÍ100.0%
KEV—80Langflow Missing Authentication Vulnerability2dCVE-2026-341978.8 ALT99.9%
KEV—80Apache ActiveMQ Improper Input Validation Vulnerability2dCVE-2026-154107.2 ALT71.1%
KEV—71SonicWall SMA1000 Appliances Code Injection Vulnerability18hCVE-2025-670389.8 CRÍ55.3%
KEV—67Lantronix EDS5000 Code Injection Vulnerability10dCVE-2021-416539.8 CRÍ99.5%
——30The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.8dCVE-2023-362558.8 ALT99.0%
——30An issue in Eramba Limited Eramba Enterprise and Community edition v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL.8d