Cyber Resilience

CVE-2020-37081

HighPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0005 14.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-37081 is a high-severity SQL Injection (CWE-89) vulnerability in Fishingreservationsystem (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-37081 affects Fishing Reservation System version 7.5 and consists of multiple remote SQL injection vulnerabilities (CWE-89). These flaws exist in the admin.php, cart.php, and calendar.php components, where parameters including uid, pid, type, m, y, and code fail to properly sanitize user input, allowing attackers to inject malicious SQL commands. The vulnerability enables compromise of the underlying database management system and web application.

Remote attackers require no privileges (PR:N) and can exploit the issues over the network (AV:N) with low attack complexity (AC:L), though user interaction is required (UI:R). Successful exploitation grants high confidentiality impact (C:H) such as data extraction, low integrity impact (I:L), and no availability impact (A:N), yielding a CVSS v3.1 base score of 7.1 (S:U). The description notes that attacks can occur without user interaction, potentially through crafted requests to vulnerable endpoints.

Advisories and related resources, including those from VulnCheck (https://www.vulncheck.com/advisories/fishing-reservation-system-uid-sql-injection), Vulnerability Lab (https://www.vulnerability-lab.com/get_content.php?id=2243), and an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/48417), provide further details on the issues. The vendor site (https://fishingreservationsystem.com/index.html) is referenced for additional context.

EU & UK References

Vulnerability details

Fishing Reservation System 7.5 contains multiple remote SQL injection vulnerabilities in admin.php, cart.php, and calendar.php that allow attackers to inject malicious SQL commands. Attackers can exploit vulnerable parameters like uid, pid, type, m, y, and code to compromise the database…

more

management system and web application without user interaction.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote SQL injection in public-facing web app components enables exploitation of the application and underlying database.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

Fishingreservationsystem
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all input parameters (uid, pid, type, m, y, code) in admin.php, cart.php and calendar.php to block malicious SQL statements.

prevent

Mandates timely remediation of the identified SQL-injection flaws in version 7.5 so the vulnerable code paths are removed or corrected.

preventdetect

Boundary-protection mechanisms such as WAF rules can inspect and block SQL-injection payloads before they reach the vulnerable PHP endpoints.

References