Dolibarr 23.0.0: PHP eval() whitelist bypass → RCE via two bugs (CVE-2026-22666) (opens in new tab)

Root cause analysis and full PoC. Coordinated disclosure — patch is available as of 4/4/2026