CVE-2026-34036 | Dolibarr up to 22.0.4 AJAX Endpoint selectobject.php restrictedArea objectdesc filename control (GHSA-2mfj-r695-5h9r)

A vulnerability has been found in Dolibarr up to 22.0.4 and classified as problematic. This affects the function restrictedArea of the file /core/ajax/selectobject.php of the component AJAX Endpoint. This manipulation of the argument objectdesc causes improper control of filename for include/require statement in php program (‘php remote file inclusion’).

This vulnerability is handled as CVE-2026-34036. The attack can be initiated remotely. There is not any exploit available.

Applying a patch is the recommended action to fix this issue.

CVE-2026-34036 | Dolibarr up to 22.0.4 AJAX Endpoint selectobject.php restrictedArea objectdesc filename control (GHSA-2mfj-r695-5h9r)

Post correlati

CVE-2026-0622 | Open5GS JWT hard-coded key

CVE-2024-8750 | Synetics Idoit Pro 28 id/lang/mNavID/name/pID/treeNode/type/view cross site scripting

CVE-2024-31351 | Copymatic Plugin up to 1.6 on WordPress unrestricted upload

CVE-2024-33650 | Cryout Creations Serious Slider Plugin up to 1.2.4 on WordPress cross-site request forgery