CVE-2020-36942
Published: 27 January 2026
Summary
CVE-2020-36942 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Victor Cms Project Victor Cms. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Deeper analysis
CVE-2020-36942 is a file upload vulnerability in Victor CMS 1.0, specifically in the profile image upload feature. This flaw, associated with CWE-434 (Unrestricted Upload of File with Dangerous Type), enables authenticated users to upload malicious PHP files directly to the /img directory. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation with low complexity and privileges.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability by uploading a PHP shell via the profile image upload functionality. Once uploaded to the /img directory, the attacker accesses the file through a web browser to execute arbitrary system commands, achieving remote code execution (RCE) with high impacts on confidentiality, integrity, and availability.
Advisories and related resources, including the Vulncheck advisory at https://www.vulncheck.com/advisories/victor-cms-file-upload-to-rce, an Exploit-DB proof-of-concept at https://www.exploit-db.com/exploits/49310, and the project repository at https://github.com/VictorAlagwu/CMSsite, provide further details on the issue, though specific patch or mitigation guidance is not detailed in the CVE description. Security practitioners should review these for remediation steps.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30860
Vulnerability details
Victor CMS 1.0 contains a file upload vulnerability that allows authenticated users to upload malicious PHP files through the profile image upload feature. Attackers can upload a PHP shell to the /img directory and execute system commands by accessing the…
more
uploaded file via web browser.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The file upload vulnerability in a public-facing CMS enables exploitation of public-facing applications (T1190) by allowing authenticated attackers to upload PHP webshells to a web-accessible directory, facilitating web shell deployment (T1100) for remote code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates validation of all information inputs, including file uploads, to confirm proper format, MIME type, and content such as image magic bytes, directly preventing acceptance of malicious PHP files.
SI-9 enforces restrictions on input characteristics, limiting file uploads to authorized image types and sizes, blocking unrestricted upload of dangerous PHP shells.
SI-3 requires malicious code protection mechanisms at system entry points like upload interfaces to scan and block PHP shells before storage.