GHSA-49xw-hw94-fmv2: 
PHP vulnerability analysis and mitigation

A Remote Code Execution vulnerability (GHSA-49xw-hw94-fmv2) was discovered in Dolibarr affecting versions up to 21.0.2. The vulnerability was published on July 19, 2025, and reviewed on July 21, 2025. The issue exists in the menu permission functionality of Dolibarr's backend system, specifically in the menu creation and permission setting features (GitHub Advisory).

The vulnerability stems from insufficient filtering of PHP functions in the menu permission system. When creating a menu, the permissions field can accept PHP code that gets executed through the doleval() method. While there is a blacklist of dangerous PHP functions ($forbiddenphpfunctions), it is not comprehensive enough to prevent exploitation. Functions like includeonce and require_once can bypass the blacklist, leading to file inclusion vulnerabilities. The vulnerability has been assigned a CVSS score of 8.8 (High) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary commands in the file system and read sensitive files. This can lead to complete system compromise, particularly when combined with file upload capabilities. The impact is especially severe when the PHP configuration has allowurlinclude enabled, as it enables remote code execution (GitHub Advisory).

As of the advisory publication, no official patch has been released for this vulnerability. Users are advised to monitor for updates and implement strict access controls to the menu creation functionality. The vulnerability affects versions up to and including 21.0.2 (GitHub Advisory).