How to fix CVE-2020-37090?

Within 24 hours: Immediately disable file upload functionality in School Erp Pro or take the application offline if possible; isolate affected systems from production networks; conduct forensic review of upload directories for malicious files. Within 7 days: Implement Web Application Firewall (WAF) rules to block file uploads to vulnerable endpoints; audit all user accounts for unauthorized access; review logs for exploitation attempts. Within 30 days: Contact vendor for security patches or migration timeline; evaluate alternative ERP solutions if patches remain unavailable; complete security assessment and implement network segmentation to contain risk.

Is PHP affected by CVE-2020-37090?

School Erp Pro versions up to 1.0 contain a critical file upload vulnerability (CVSS 9.8) that allows unauthenticated attackers to upload and execute malicious files, potentially leading to complete system compromise.

CVE-2020-37090

CRITICAL

2026-02-03 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 10, 2026 - 17:00 vuln.today

Public exploit code

CVE Published

Feb 03, 2026 - 22:16 nvd

CRITICAL 9.8

Description

School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabling remote code execution on the server.

Analysis

School ERP Pro 1.0 allows students to upload arbitrary PHP files, enabling remote code execution from a low-privileged student account.

Technical Context

School ERP Pro 1.0 has a CWE-434 file upload vulnerability that allows students (low-privileged users) to upload PHP files through the assignment submission or profile functionality.

Affected Products

['School ERP Pro 1.0']

Remediation

Update the software. Implement file type validation. Disable PHP execution in upload directories.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.9

CVSS: +49

POC: +20

CVE-2020-37090 vulnerability details – vuln.today

Back

CVE-2020-37090

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2020-37090

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code