What is the CVSS score of CVE-2020-37034?

CVE-2020-37034 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.2%.

Is there a public PoC exploit available for CVE-2020-37034?

Yes, a public proof-of-concept exploit is available for CVE-2020-37034. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2020-37034?

Within 24 hours: Inventory all HelloWeb 2.0 instances in production and restrict network access to download.asp endpoints to trusted IPs only. Within 7 days: Deploy WAF rules to block directory traversal patterns (../, ..\) in filepath and filename parameters; implement comprehensive file access logging. Within 30 days: Execute vendor upgrade path evaluation, migrate to patched version when available, or decommission the application if no patch timeline is provided.

CVE-2020-37034

HIGH

Path Traversal (CWE-22)

2026-01-30 disclosure@vulncheck.com

Path Traversal

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:00 vuln.today

PoC Detected

Feb 03, 2026 - 16:44 vuln.today

Public exploit code

CVE Published

Jan 30, 2026 - 23:16 nvd

HIGH 7.5

DescriptionCVE.org

HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to access sensitive configuration and system files.

AnalysisAI

Technical ContextAI

Classified as CWE-22 (Path Traversal). HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to access sensitive configuration and system files.

Affected ProductsAI

HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and file

RemediationAI

Monitor vendor advisories for a patch. Validate and sanitize file path inputs. Use allowlists. Restrict network access to the affected service where possible.

CVE-2020-37034 vulnerability details – vuln.today

Back

CVE-2020-37034

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code