CVE-2026-31019

High

Published: 21 April 2026

Published

21 April 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering,…

resulting in full remote code execution with the ability to execute arbitrary operating system commands on the server.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Mandates validation of PHP content inputs in the Website module to prevent bypass of blacklist filtering and block dangerous functions enabling OS command injection.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the specific flaw in Dolibarr's blacklist-based filtering, preventing RCE exploitation via patching.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to restrict PHP content editing permissions, mitigating risk from low-privileged authenticated users exploiting the vulnerability.

Security SummaryAI

CVE-2026-31019 is a vulnerability in the Website module of Dolibarr ERP & CRM versions 22.0.4 and below. The issue arises from blacklist-based filtering designed to block dangerous PHP functions associated with system command execution. An authenticated user with permission to edit PHP content can bypass this filtering mechanism, resulting in full remote code execution (RCE) that allows arbitrary operating system commands on the server. The vulnerability is classified under CWE-78 (OS Command Injection) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Exploitation requires an authenticated attacker possessing low privileges, specifically permission to edit PHP content. The attack vector is network-based with low attack complexity and no user interaction needed. Upon success, the attacker achieves high impacts across confidentiality, integrity, and availability, enabling complete server compromise through arbitrary command execution.

Mitigation details are available in advisories referenced at http://dolibarr.com and https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31019/README.md. The vulnerability was published on 2026-04-21.

Details

CWE(s): CWE-78

Affected Products

dolibarr

dolibarr erp\/crm

≤ 22.0.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing web app (Dolibarr Website module) enables low-priv authenticated RCE via OS command injection by bypassing PHP function blacklist, directly mapping to T1190 (exploit public-facing app), T1068 (exploitation for priv esc), and T1059.004 (Unix Shell execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://dolibarr.com
Product · cve@mitre.org
https://github.com/PhDg1410/CVE/blob/main/CVE-2026-31019/README.md
Third Party Advisory · cve@mitre.org