Cyber Resilience

CVE-2020-37214

HighPublic PoC

Published: 11 February 2026

Published
11 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0061 44.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2020-37214 is a high-severity Path Traversal (CWE-22) vulnerability in Devdojo (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2020-37214 is a directory traversal vulnerability (CWE-22) affecting Voyager version 1.3.0, an admin panel for Laravel applications. The flaw resides in the asset path parameter within the /admin/voyager-assets endpoint, enabling attackers to manipulate paths and access sensitive system files outside the intended directory.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to its network accessibility, low attack complexity, and lack of required privileges. Remote attackers without authentication can exploit it to read arbitrary files, such as /etc/passwd for user enumeration or .env files containing configuration secrets like database credentials.

Mitigation involves upgrading to a patched version, as indicated by Voyager release tags v1.2.7 and v1.3.0 on GitHub. Additional resources include the official Voyager site, an Exploit-DB entry (47875) demonstrating the issue, and a Vulncheck advisory detailing the directory traversal. Security practitioners should scan for exposed Voyager instances and validate input sanitization on asset paths.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Voyager 1.3.0 contains a directory traversal vulnerability that allows attackers to access sensitive system files by manipulating the asset path parameter. Attackers can exploit the path parameter in /admin/voyager-assets to read arbitrary files like /etc/passwd and .env configuration files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1087.001 Local Account Discovery
Adversaries may attempt to get a listing of local system accounts.
Why these techniques?

Directory traversal on public-facing web app enables remote unauth file read (T1190), directly supporting local system data access (T1005), credential theft from files like .env (T1552.001), and account enumeration via /etc/passwd (T1087.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-36939Shared CWE-22
CVE-2026-26217Shared CWE-22
CVE-2026-27305Shared CWE-22
CVE-2022-50992Shared CWE-22
CVE-2026-30952Shared CWE-22
CVE-2026-32847Shared CWE-22
CVE-2026-6227Shared CWE-22
CVE-2026-30976Shared CWE-22
CVE-2025-10897Shared CWE-22
CVE-2026-30403Shared CWE-22

Affected Assets

Devdojo
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates the asset path parameter in the /admin/voyager-assets endpoint to block directory traversal sequences like '../' accessing sensitive files.

prevent

Remediates the specific directory traversal flaw in Voyager 1.3.0 by applying vendor patches such as those in updated releases.

prevent

Enforces access control policies to restrict file access to only intended asset directories, preventing unauthorized reads of system files like /etc/passwd.

References