CVE-2020-37137
Published: 05 February 2026
Summary
CVE-2020-37137 is a high-severity Eval Injection (CWE-95) vulnerability in Php-Fusion Phpfusion. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2020-37137 is a remote code execution vulnerability affecting PHP-Fusion version 9.03.50. The issue resides in the add_panel_form() function within the panels.php administration endpoint, where unsanitized POST data from the panel_content parameter is passed to an eval() function, enabling arbitrary code execution. This flaw is classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) and CWE-94 (Improper Control of Generation of Code), with a CVSS v3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Unauthenticated attackers (PR:N) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R), such as tricking an administrator into processing a malicious request. By sending crafted panel_content POST parameters to the panels.php endpoint, attackers achieve remote code execution with changed scope (S:C), potentially leading to limited confidentiality and integrity impacts (C:L/I:L).
Advisories and related resources, including an exploit proof-of-concept on Exploit-DB (https://www.exploit-db.com/exploits/48278), the official PHP-Fusion site (https://www.php-fusion.co.uk), and a Vulncheck advisory (https://www.vulncheck.com/advisories/php-fusion-panelsphp-eval-injection), provide further details on the issue published on 2026-02-05. Security practitioners should consult these for exploitation vectors and recommended mitigations.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31029
Vulnerability details
PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the 'add_panel_form()' function that allows attackers to execute arbitrary code through an eval() function with unsanitized POST data. Attackers can exploit the vulnerability by sending crafted panel_content POST parameters to the…
more
panels.php administration endpoint to execute malicious code.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via eval() injection in public web app admin endpoint enables T1190 (Exploit Public-Facing Application) for initial access and T1059 (Command and Scripting Interpreter) for arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all input (panel_content POST) before it reaches dangerous constructs such as eval().
Mandates prompt application of patches or code fixes that eliminate the eval-injection flaw in add_panel_form().
Restricts the use of high-risk language features (eval) and disables unnecessary administrative functions that expose the vulnerable endpoint.