What is CVE-2026-22666?

CVE-2026-22666 is a high-severity vulnerability in Dolibarr Erp/crm, classified under Eval Injection. CVSS score: 7.2/10. Published 2026-04-07.

How severe is CVE-2026-22666?

High severity. CVSS v3 base score is 7.2 out of 10.

Is CVE-2026-22666 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Dolibarr Erp/crm

CVE-2026-22666

Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callab…

EPSS: 0.004 (62.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Affected products

Dolibarr Erp/crm — versions 0, 6f425521b3e6f9f27eca05228e02093dbaa40dea

Weakness classification (CWE)

CWE-95 — Eval Injection

Public proof-of-concept exploits

JivaSecurity/DOLIBARR-RCE-CVE-2026-22666

References

jivasecurity.com/writeups/dolibarr-remote-code-execution-cve-2026-22666 (technical-description, exploit)
github.com/Dolibarr/dolibarr/security/advisories/GHSA-vmvw-qq8w-wqhg (vendor-advisory)
github.com/Dolibarr/dolibarr/commit/6f425521b3e6f9f27eca05228e02093dbaa40dea (patch)
github.com/Dolibarr/dolibarr/releases/tag/23.0.2 (release-notes)
www.vulncheck.com/advisories/dolibarr-erp-crm-authenticated-rce-via-dol-eval-st… (third-party-advisory)

Frequently asked questions

What is CVE-2026-22666?: CVE-2026-22666 is a high-severity vulnerability in Dolibarr Erp/crm, classified under Eval Injection. CVSS score: 7.2/10. Published 2026-04-07.
How severe is CVE-2026-22666?: High severity. CVSS v3 base score is 7.2 out of 10.
Is CVE-2026-22666 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.