Cyber Resilience

CVE-2020-37178

MediumPublic PoC

Published: 11 February 2026

Published
11 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 10.6th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-37178 is a medium-severity Code Injection (CWE-94) vulnerability in Keepass Password Safe (inferred from references). Its CVSS base score is 4.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

KeePass Password Safe versions before 2.44 contain a denial of service vulnerability in the help system's HTML handling, classified under CWE-94 (code injection). The issue allows attackers to trigger application instability or crashes by dragging and dropping malicious HTML files into the help area. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

The vulnerability can be exploited by any remote attacker with no required privileges or user interaction beyond the drag-and-drop action into the KeePass help interface. Successful exploitation leads to denial of service, manifesting as application instability or crashes, though the CVSS vector indicates potential high confidentiality impact.

Mitigation is addressed in KeePass version 2.44 and later, as indicated by the official KeePass site (https://keepass.info/). Proof-of-concept exploits are publicly available, including on Exploit-DB (https://www.exploit-db.com/exploits/47952) and VulnCheck advisory (https://www.vulncheck.com/advisories/keepass-denial-of-service-poc). Security practitioners should ensure users upgrade to patched versions to prevent exploitation.

EU & UK References

Vulnerability details

KeePass Password Safe versions before 2.44 contain a denial of service vulnerability in the help system's HTML handling. Attackers can trigger the vulnerability by dragging and dropping malicious HTML files into the help area, potentially causing application instability or crash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability enables local application crashes via malicious HTML handling (code injection leading to instability), directly mapping to application exploitation for DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33608Shared CWE-94
CVE-2024-53693Shared CWE-94
CVE-2025-13773Shared CWE-94
CVE-2025-6990Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2025-57439Shared CWE-94
CVE-2025-62348Shared CWE-94
CVE-2024-57487Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2025-51414Shared CWE-94

Affected Assets

Keepass
Password Safe
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation of the specific flaw in KeePass versions before 2.44 through vendor patches.

prevent

Requires validation of HTML inputs to the help system to block malicious code injection via drag-and-drop files, addressing CWE-94.

prevent

Ensures graceful error handling during HTML parsing in the help system to prevent application crashes or instability from malformed inputs.

References