What is the CVSS score of CVE-2020-37083?

CVE-2020-37083 has a CVSS 3.1 base score of 8.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2020-37083?

PHP AddressBook 9.0.0.1 contains a critical SQL injection vulnerability that allows attackers to extract or manipulate sensitive database information without authentication.

Is there a public PoC exploit available for CVE-2020-37083?

Yes, a public proof-of-concept exploit is available for CVE-2020-37083. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2020-37083?

Within 24 hours: Identify all systems running PHP AddressBook 9.0.0.1 and isolate or restrict network access to these instances. Within 7 days: Deploy Web Application Firewall (WAF) rules to block SQL injection patterns targeting the 'id' parameter, and disable the AddressBook application if not critical to operations. Within 30 days: Plan immediate upgrade to a patched version or replacement solution; evaluate vendor communication for security updates or consider decommissioning the application.

PHP CVE-2020-37083

HIGH

SQL Injection (CWE-89)

2026-02-03 disclosure@vulncheck.com

PHP SQLi

8.2

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.2 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 04, 2026 - 16:33 vuln.today

Public exploit code

CVE Published

Feb 03, 2026 - 22:16 nvd

HIGH 8.2

DescriptionCVE.org

PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability that allows remote attackers to manipulate database queries through the 'id' parameter. Attackers can inject crafted SQL statements with time delays to extract information by observing response times in the photo.php endpoint.

AnalysisAI

PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability that allows remote attackers to manipulate database queries through the 'id' parameter. [CVSS 8.2 HIGH]

Technical ContextAI

Classified as CWE-89 (SQL Injection). PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability that allows remote attackers to manipulate database queries through the 'id' parameter. Attackers can inject crafted SQL statements with time delays to extract information by observing response times in the photo.php endpoint.

Affected ProductsAI

Component: photo.php.

RemediationAI

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.