PHP file inclusion in dolibarr - CVE-2026-34036
Published: April 20, 2026
Vulnerability identifier: #VU126578
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-34036
CWE-ID: CWE-98
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Dolibarr ERP & CRM
Affected software:
dolibarr
dolibarr
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper control of filename for include statement in /core/ajax/selectobject.php when processing the objectdesc parameter. A remote user can send a specially crafted request to disclose sensitive information.
The issue is triggered before access control checks are performed, and the access control logic fails open when the features parameter is empty.
How to mitigate CVE-2026-34036
Install security update from vendor's website.