CVE-2026-31018: Dolibarr Allows Code Injection through its Website Module
(updated )
In Dolibarr ERP & CRM <= 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page creation.
A patch is available at https://github.com/Dolibarr/dolibarr/releases/tag/23.0.0.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-31018 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →