Cyber Resilience

CVE-2020-37137

HighPublic PoCRCE

Published: 05 February 2026

Published
05 February 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0054 41.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37137 is a high-severity Eval Injection (CWE-95) vulnerability in Php-Fusion Phpfusion. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-37137 is a remote code execution vulnerability affecting PHP-Fusion version 9.03.50. The issue resides in the add_panel_form() function within the panels.php administration endpoint, where unsanitized POST data from the panel_content parameter is passed to an eval() function, enabling arbitrary code execution. This flaw is classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) and CWE-94 (Improper Control of Generation of Code), with a CVSS v3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Unauthenticated attackers (PR:N) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R), such as tricking an administrator into processing a malicious request. By sending crafted panel_content POST parameters to the panels.php endpoint, attackers achieve remote code execution with changed scope (S:C), potentially leading to limited confidentiality and integrity impacts (C:L/I:L).

Advisories and related resources, including an exploit proof-of-concept on Exploit-DB (https://www.exploit-db.com/exploits/48278), the official PHP-Fusion site (https://www.php-fusion.co.uk), and a Vulncheck advisory (https://www.vulncheck.com/advisories/php-fusion-panelsphp-eval-injection), provide further details on the issue published on 2026-02-05. Security practitioners should consult these for exploitation vectors and recommended mitigations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the 'add_panel_form()' function that allows attackers to execute arbitrary code through an eval() function with unsanitized POST data. Attackers can exploit the vulnerability by sending crafted panel_content POST parameters to the…

more

panels.php administration endpoint to execute malicious code.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Direct RCE via eval() injection in public web app admin endpoint enables T1190 (Exploit Public-Facing Application) for initial access and T1059 (Command and Scripting Interpreter) for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22666Shared CWE-94, CWE-95
CVE-2026-26045Shared CWE-94
CVE-2026-46586Shared CWE-94, CWE-95
CVE-2024-11600Shared CWE-94
CVE-2025-67979Shared CWE-94
CVE-2025-6000Shared CWE-94
CVE-2024-54756Shared CWE-94
CVE-2026-42898Shared CWE-94
CVE-2025-71281Shared CWE-94
CVE-2025-70830Shared CWE-94

Affected Assets

php-fusion
phpfusion
9.03.50

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all input (panel_content POST) before it reaches dangerous constructs such as eval().

prevent

Mandates prompt application of patches or code fixes that eliminate the eval-injection flaw in add_panel_form().

prevent

Restricts the use of high-risk language features (eval) and disables unnecessary administrative functions that expose the vulnerable endpoint.

References