Dolibarr ERP/CRM < 23.0.2 Authenticated RCE via dol_eval_standard()

Advisories

severity: high
date: 4/7/2026
Affecting: Dolibarr ERP/CRM < 23.0.2, fixed in commit 6f42552
CVE: CVE-2026-22666
CWE: CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CVSS: 8.6
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: Jiva Security Blog
GitHub Security Advisory (GHSA-vmvw-qq8w-wqhg)
Patch Commit
Release Notes
Credit: Jiva (JivaSecurity)
Description: Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can inject malicious payloads through computed extrafields or other evaluation paths using PHP dynamic callable syntax to bypass validation and achieve arbitrary command execution via eval().

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo