Cyber Resilience

CVE-2020-37057

HighPublic PoC

Published: 30 January 2026

Published
30 January 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0050 38.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37057 is a high-severity SQL Injection (CWE-89) vulnerability in Sunnygkp10 Online-Exam-System-. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-37057 is a SQL injection vulnerability in the feedback module of Online-Exam-System 2015. The flaw allows attackers to manipulate database queries through the 'fid' parameter by injecting malicious SQL code, potentially enabling extraction, modification, or deletion of database information. It is classified under CWE-89 with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, and no required privileges or user interaction.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity. Successful exploitation grants high-impact confidentiality by extracting sensitive database information, low-impact integrity by modifying data, and no availability disruption, all within the unchanged scope of the application.

Advisories and related resources, including those from Vulncheck and Exploit-DB, provide further details on the vulnerability, with a proof-of-concept exploit available at https://www.exploit-db.com/exploits/48529. The source code for the affected Online-Exam-System 2015 is hosted at https://github.com/sunnygkp10/Online-Exam-System-.git, and mitigation guidance can be found in the Vulncheck advisory at https://www.vulncheck.com/advisories/online-exam-system-fid-sql-injection. No specific patches are detailed in the provided information.

This vulnerability was published on 2026-01-30, with public exploit code indicating potential for real-world abuse in unpatched instances of this legacy online exam system.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Online-Exam-System 2015 contains a SQL injection vulnerability in the feedback module that allows attackers to manipulate database queries through the 'fid' parameter. Attackers can inject malicious SQL code into the 'fid' parameter to potentially extract, modify, or delete database information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated remote exploitation of a public-facing web app via SQL injection matches T1190; DB data extraction/modification is a direct consequence of the flaw.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-37051Same product: Sunnygkp10 Online-Exam-System-
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89

Affected Assets

sunnygkp10
online-exam-system-
2015

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection vulnerability by defining and enforcing validation of the 'fid' parameter to reject malicious SQL code before database query execution.

prevent

Addresses the CVE by requiring timely identification, reporting, and correction of the SQL injection flaw in the feedback module.

prevent

Mitigates remote SQL injection exploitation through boundary protection mechanisms like web application firewalls that inspect and block malicious payloads in the 'fid' parameter.

References