CVE-2020-37071

CRITICAL WAF: Medium

CVSS 9.8 Published: 2026-02-03

CWE-502

CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download functionality with a specially crafted request.

WAF Coverage Analysis

Insecure Deserialization Medium WAF Coverage

OWASP: A08:2021 Software and Data Integrity Failures

944xxx - Java Attack

References

craftcms.com
gitlab.com
plugins.craftcms.com
www.exploit-db.com
www.vulncheck.com

Back to CVE Database