CVE-2020-37073

HighPublic PoC

Published: 03 February 2026

Published

03 February 2026

Modified

10 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Victor CMS 1.0 contains an authenticated file upload vulnerability that allows administrators to upload PHP files with arbitrary content through the user_image parameter. Attackers can upload a malicious PHP shell to the /img/ directory and execute system commands by accessing…

the uploaded file with a 'cmd' parameter.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of the user_image parameter to ensure uploaded files are legitimate images and not PHP shells with arbitrary code.

SI-9 Information Input Restrictions good match

prevent

Restricts the user_image input to only safe image file types and characteristics, blocking uploads of dangerous PHP files.

SI-3 Malicious Code Protection good match

preventdetect

Implements malicious code protection mechanisms to scan and block PHP shells during upload to the /img/ directory.

Security SummaryAI

CVE-2020-37073 is an authenticated file upload vulnerability in Victor CMS 1.0, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The flaw resides in the user_image parameter, which permits administrators to upload PHP files containing arbitrary content directly to the /img/ directory. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for significant confidentiality, integrity, and availability impacts.

The vulnerability can be exploited by authenticated administrators with low privileges over the network with minimal complexity and no user interaction required. An attacker logs in as an admin, uploads a malicious PHP shell via the user_image parameter, and then accesses the file in the /img/ directory using a 'cmd' parameter to execute arbitrary system commands, achieving remote code execution on the server.

Advisories and related resources, including a detailed write-up from VulnCheck at https://www.vulncheck.com/advisories/victor-cms-authenticated-arbitrary-file-upload, an exploit PoC on Exploit-DB at https://www.exploit-db.com/exploits/48490, and the CMS source code on GitHub at https://github.com/VictorAlagwu/CMSsite, provide further technical details published as of 2026-02-03. These references document the issue but do not specify patches in the available information.

Details

CWE(s): CWE-434

Affected Products

victor cms project

victor cms

1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

The vulnerability allows authenticated upload of PHP shells to a web directory, enabling exploitation of a public-facing application (T1190) and deployment/execution of web shells (T1100, T1505.003) for remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/VictorAlagwu/CMSsite
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/48490
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/victor-cms-authenticated-arbitrary-file-upload
Third Party Advisory · disclosure@vulncheck.com