CVE-2026-37713 Overview
CVE-2026-37713 is a remote code execution vulnerability in Dolibarr ERP/CRM affecting versions v22.0.0 through v22.0.4 and v24.0.0-alpha. The flaw resides in htdocs/core/class/commonobject.class.php and allows a remote attacker to execute arbitrary code on the host running the application. Dolibarr is an open-source enterprise resource planning and customer relationship management platform deployed by small and mid-sized organizations to manage invoicing, inventory, and customer data. Successful exploitation grants the attacker the privileges of the web server process, enabling data theft, lateral movement, and persistence.
Critical Impact
Remote attackers can execute arbitrary code on Dolibarr ERP/CRM installations running affected versions, compromising business data and the underlying host.
Affected Products
- Dolibarr ERP/CRM v22.0.0 through v22.0.4
- Dolibarr ERP/CRM v24.0.0-alpha
- htdocs/core/class/commonobject.class.php component
Discovery Timeline
- 2026-05-27 - CVE-2026-37713 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-37713
Vulnerability Analysis
The vulnerability is an arbitrary code execution flaw in the commonobject.class.php file, which is a core class used across Dolibarr modules to process object data. Public references trace the root cause to the long-standing dol_eval() function pattern, which evaluates user-influenced strings as PHP expressions. When attacker-controlled input reaches the evaluation path inside commonobject.class.php, the application interprets it as code rather than data.
This class of issue is categorized as Code Injection and falls under the broader Remote Code Execution (RCE) category. The component is invoked by many CRUD operations within Dolibarr, expanding the number of HTTP endpoints reachable by an authenticated user where the unsafe evaluation can be triggered.
Root Cause
The root cause is unsafe dynamic evaluation of user-supplied or user-influenceable input within the common object class. Input that should be treated as data flows into a PHP evaluation context without sufficient sanitization or allow-listing. Background on the recurring dol_eval issue is documented in the GitHub Blog Post.
Attack Vector
A remote attacker submits crafted input to a Dolibarr endpoint that invokes the vulnerable code path in commonobject.class.php. The payload is interpreted by the PHP runtime and executes under the privileges of the web server user. Detailed technical context is provided in the GitHub Security Advisory.
No verified public proof-of-concept code is included in the advisory at this time. The vulnerability mechanism is described in prose because no validated exploit code is available from authoritative sources.
Detection Methods for CVE-2026-37713
Indicators of Compromise
- Unexpected PHP processes spawning shell interpreters (sh, bash, php -r) from the Dolibarr web root.
- Outbound network connections from the web server to unfamiliar hosts following requests to Dolibarr object endpoints.
- New or modified PHP files inside the htdocs/ directory not associated with a known update.
- Web access log entries containing PHP function names or backtick characters in request parameters targeting Dolibarr modules.
Detection Strategies
- Inspect HTTP request bodies and query strings sent to Dolibarr for patterns resembling PHP code, including function calls, semicolons, and language constructs.
- Correlate Dolibarr access logs with process creation events on the host to surface web-triggered command execution.
- Apply file integrity monitoring on htdocs/core/class/commonobject.class.php and the wider Dolibarr install tree.
Monitoring Recommendations
- Forward web server, PHP-FPM, and operating system audit logs to a centralized analytics platform for correlation.
- Alert on child processes of the web server user that match command interpreters or scripting engines.
- Track authenticated Dolibarr sessions producing anomalously high write activity or accessing administrative object types.
How to Mitigate CVE-2026-37713
Immediate Actions Required
- Inventory all Dolibarr deployments and identify any instance running v22.0.0 through v22.0.4 or v24.0.0-alpha.
- Upgrade affected installations to a fixed release as referenced in the upstream Dolibarr security advisory.
- Restrict Dolibarr administrative access to trusted internal networks or VPN until patching is complete.
- Rotate credentials and API tokens used by the application if compromise is suspected.
Patch Information
Refer to the GitHub Security Advisory for the fixed version and code changes addressing the unsafe evaluation in commonobject.class.php. Apply vendor-supplied updates rather than custom patches to ensure all related code paths are covered.
Workarounds
- Place the Dolibarr application behind a web application firewall configured to block requests containing PHP code constructs in user input.
- Disable or restrict any Dolibarr modules and custom fields that allow user-defined formulas or expressions until patched.
- Run PHP under a hardened configuration that disables dangerous functions (disable_functions directive) such as exec, system, passthru, and shell_exec.
# Configuration example - disable dangerous PHP functions in php.ini
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
