CVE-2020-37154
Published: 07 February 2026
Summary
CVE-2020-37154 is a high-severity SQL Injection (CWE-89) vulnerability in Sourceforge (inferred from references). Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2020-37154 is an authenticated SQL injection vulnerability (CWE-89) in eLection 2.0, affecting the candidate management endpoint via the 'id' parameter. This flaw allows attackers to manipulate database queries in the open-source election management software hosted on SourceForge under the election-by-tripath project. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) and was published on 2026-02-07.
Authenticated attackers with low privileges can exploit this vulnerability remotely with low complexity and no user interaction required. By injecting malicious payloads through the 'id' parameter, they can manipulate database queries, and tools like SQLMap enable escalation to remote code execution, such as uploading backdoor files to the web application directory, resulting in high confidentiality impact and low integrity impact.
Advisories and references, including a GitHub proof-of-concept detailing SQLi to RCE (https://github.com/J3rryBl4nks/eLection-TriPath-/blob/master/SQLiIntoRCE.md), an Exploit-DB entry (https://www.exploit-db.com/exploits/48122), a VulnCheck advisory (https://www.vulncheck.com/advisories/election-id-sql-injection), and the SourceForge project page (https://sourceforge.net/projects/election-by-tripath/), document the issue and provide exploitation details but do not specify patches or mitigations in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31109
Vulnerability details
eLection 2.0 contains an authenticated SQL injection vulnerability in the candidate management endpoint that allows attackers to manipulate database queries through the 'id' parameter. Attackers can leverage SQLMap to exploit the vulnerability, potentially gaining remote code execution by uploading backdoor…
more
files to the web application directory.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app directly enables T1190 exploitation; documented escalation to web shell/backdoor upload enables T1505.003.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the 'id' parameter to block malicious SQL payloads before they reach the database.
Restricts the authenticated user's database privileges so that even a successful SQLi via the candidate endpoint cannot easily achieve file-upload RCE.
Enables monitoring of database query patterns and anomalies on the candidate management endpoint to identify SQLMap-driven exploitation attempts.