How to fix CVE-2020-37105?

Within 24 hours: Identify all systems running PMB 5.6 and restrict administrative access to trusted networks only. Within 7 days: Implement WAF rules to block malicious SQL syntax in the logid parameter and disable the vulnerable download script if operationally feasible. Within 30 days: Evaluate upgrade to a patched version of PMB, migrate to alternative solutions, or implement comprehensive input validation and parameterized queries if in-house remediation is possible.

Is PHP affected by CVE-2020-37105?

PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated users to execute arbitrary database commands, potentially leading to unauthorized data access, modification, or deletion.

CVE-2020-37105

HIGH

2026-02-03 [email protected]

7.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 04, 2026 - 16:34 vuln.today

Public exploit code

CVE Published

Feb 03, 2026 - 18:16 nvd

HIGH 7.1

Description

PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download.php endpoint with manipulated logid values to interact with the database.

Analysis

Technical Context

Classified as CWE-89 (SQL Injection). Affects administration download script. PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download.php endpoint with manipulated logid values to interact with the database.

Affected Products

Product: administration download script.

Remediation

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: +20

CVE-2020-37105 vulnerability details – vuln.today

Back

CVE-2020-37105

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2020-37105

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code