What is the CVSS score of CVE-2020-37105?

CVE-2020-37105 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of PHP are affected by CVE-2020-37105?

PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated users to execute arbitrary database commands, potentially leading to unauthorized data…

Is there a public PoC exploit available for CVE-2020-37105?

Yes, a public proof-of-concept exploit is available for CVE-2020-37105. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2020-37105?

Within 24 hours: Identify all systems running PMB 5.6 and restrict administrative access to trusted networks only. Within 7 days: Implement WAF rules to block malicious SQL syntax in the logid parameter and disable the vulnerable download script if operationally feasible. Within 30 days: Evaluate upgrade to a patched version of PMB, migrate to alternative solutions, or implement comprehensive input validation and parameterized queries if in-house remediation is possible.

PHP CVE-2020-37105

HIGH

SQL Injection (CWE-89)

2026-02-03 disclosure@vulncheck.com

PHP SQLi

7.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 04, 2026 - 16:34 vuln.today

Public exploit code

CVE Published

Feb 03, 2026 - 18:16 nvd

HIGH 7.1

DescriptionCVE.org

PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download.php endpoint with manipulated logid values to interact with the database.

AnalysisAI

Technical ContextAI

Classified as CWE-89 (SQL Injection). Affects administration download script. PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download.php endpoint with manipulated logid values to interact with the database.

Affected ProductsAI

Product: administration download script.

RemediationAI

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.