CVE-2026-22666: Dolibarr 23.0.0 dol_eval() Whitelist Bypass Leads to RCE

The vulnerability stems from two flaws in Dolibarr 23.0.0’s dol_eval() function. The $forbiddenphpstrings blocklist is only enforced in blacklist mode, while the default whitelist mode ignores it. Additionally, the whitelist regex fails to detect PHP dynamic callable syntax, such as (('exec')('cmd')). Combined, these issues enable remote code execution (RCE). A patch was released on April 4, 2026, following coordinated disclosure.