CVE-2020-37071

CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download functionality with a specially crafted request.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://craftcms.com/
https://gitlab.com/wguest/craftcms-vcard-exploit
https://plugins.craftcms.com/vcard
https://www.exploit-db.com/exploits/48492
https://www.vulncheck.com/advisories/craftcms-vcard-plugin-remote-code-execution

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) El plugin vCard 1.0.0 de CraftCMS 3 contiene una vulnerabilidad de deserialización que permite a atacantes no autenticados ejecutar código PHP arbitrario a través de una carga útil manipulada. Los atacantes pueden generar una carga útil serializada maliciosa que desencadena la ejecución remota de código al explotar la funcionalidad de descarga de vCard del plugin con una solicitud especialmente diseñada.

03 Feb 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-03 22:16

Updated : 2026-04-15 00:35

NVD link : CVE-2020-37071

Mitre link : CVE-2020-37071

CVE.ORG link : CVE-2020-37071

JSON object : View

Products Affected

No product.

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2020-37071", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-03T22:16:22.300", "references": [{"url": "https://craftcms.com/", "source": "disclosure@vulncheck.com"}, {"url": "https://gitlab.com/wguest/craftcms-vcard-exploit", "source": "disclosure@vulncheck.com"}, {"url": "https://plugins.craftcms.com/vcard", "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/48492", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/craftcms-vcard-plugin-remote-code-execution", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download functionality with a specially crafted request."}, {"lang": "es", "value": "El plugin vCard 1.0.0 de CraftCMS 3 contiene una vulnerabilidad de deserializaci\u00f3n que permite a atacantes no autenticados ejecutar c\u00f3digo PHP arbitrario a trav\u00e9s de una carga \u00fatil manipulada. Los atacantes pueden generar una carga \u00fatil serializada maliciosa que desencadena la ejecuci\u00f3n remota de c\u00f3digo al explotar la funcionalidad de descarga de vCard del plugin con una solicitud especialmente dise\u00f1ada."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "disclosure@vulncheck.com"}