CVE-2020-37178
Published: 11 February 2026
Summary
CVE-2020-37178 is a medium-severity Code Injection (CWE-94) vulnerability in Keepass Password Safe (inferred from references). Its CVSS base score is 4.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
KeePass Password Safe versions before 2.44 contain a denial of service vulnerability in the help system's HTML handling, classified under CWE-94 (code injection). The issue allows attackers to trigger application instability or crashes by dragging and dropping malicious HTML files into the help area. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
The vulnerability can be exploited by any remote attacker with no required privileges or user interaction beyond the drag-and-drop action into the KeePass help interface. Successful exploitation leads to denial of service, manifesting as application instability or crashes, though the CVSS vector indicates potential high confidentiality impact.
Mitigation is addressed in KeePass version 2.44 and later, as indicated by the official KeePass site (https://keepass.info/). Proof-of-concept exploits are publicly available, including on Exploit-DB (https://www.exploit-db.com/exploits/47952) and VulnCheck advisory (https://www.vulncheck.com/advisories/keepass-denial-of-service-poc). Security practitioners should ensure users upgrade to patched versions to prevent exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31208
Vulnerability details
KeePass Password Safe versions before 2.44 contain a denial of service vulnerability in the help system's HTML handling. Attackers can trigger the vulnerability by dragging and dropping malicious HTML files into the help area, potentially causing application instability or crash.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables local application crashes via malicious HTML handling (code injection leading to instability), directly mapping to application exploitation for DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely remediation of the specific flaw in KeePass versions before 2.44 through vendor patches.
Requires validation of HTML inputs to the help system to block malicious code injection via drag-and-drop files, addressing CWE-94.
Ensures graceful error handling during HTML parsing in the help system to prevent application crashes or instability from malformed inputs.