{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2020-37071", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-01T13:16:06.484Z", "datePublished": "2026-02-03T22:01:40.185Z", "dateUpdated": "2026-02-04T19:05:44.825Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-02-03T22:01:40.185Z"}, "datePublic": "2020-05-18T00:00:00.000Z", "title": "CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution", "descriptions": [{"lang": "en", "value": "CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download functionality with a specially crafted request."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Deserialization of Untrusted Data", "cweId": "CWE-502", "type": "CWE"}]}], "affected": [{"vendor": "CraftCMS", "product": "CraftCMS", "versions": [{"version": "1.0.0", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/48492", "name": "ExploitDB-48492", "tags": ["exploit"]}, {"url": "https://craftcms.com/", "name": "Official CraftCMS Vendor Homepage", "tags": ["product"]}, {"url": "https://plugins.craftcms.com/vcard", "name": "CraftCMS vCard Plugin Page", "tags": ["product"]}, {"url": "https://gitlab.com/wguest/craftcms-vcard-exploit", "name": "Researcher Exploit Disclosure", "tags": ["technical-description", "exploit"]}, {"name": "VulnCheck Advisory: CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/craftcms-vcard-plugin-remote-code-execution"}], "credits": [{"lang": "en", "value": "Wade Guest", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T19:05:33.595102Z", "id": "CVE-2020-37071", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T19:05:44.825Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-37071", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-04T19:05:33.595102Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T19:05:39.732Z"}}], "cna": {"title": "CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution", "credits": [{"lang": "en", "type": "finder", "value": "Wade Guest"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "CraftCMS", "product": "CraftCMS", "versions": [{"status": "affected", "version": "1.0.0"}]}], "datePublic": "2020-05-18T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/48492", "name": "ExploitDB-48492", "tags": ["exploit"]}, {"url": "https://craftcms.com/", "name": "Official CraftCMS Vendor Homepage", "tags": ["product"]}, {"url": "https://plugins.craftcms.com/vcard", "name": "CraftCMS vCard Plugin Page", "tags": ["product"]}, {"url": "https://gitlab.com/wguest/craftcms-vcard-exploit", "name": "Researcher Exploit Disclosure", "tags": ["technical-description", "exploit"]}, {"url": "https://www.vulncheck.com/advisories/craftcms-vcard-plugin-remote-code-execution", "name": "VulnCheck Advisory: CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download functionality with a specially crafted request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-02-03T22:01:40.185Z"}}}, "cveMetadata": {"cveId": "CVE-2020-37071", "state": "PUBLISHED", "dateUpdated": "2026-02-04T19:05:44.825Z", "dateReserved": "2026-02-01T13:16:06.484Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-03T22:01:40.185Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download functionality with a specially crafted request."}, {"lang": "es", "value": "El plugin vCard 1.0.0 de CraftCMS 3 contiene una vulnerabilidad de deserializaci\u00f3n que permite a atacantes no autenticados ejecutar c\u00f3digo PHP arbitrario a trav\u00e9s de una carga \u00fatil manipulada. Los atacantes pueden generar una carga \u00fatil serializada maliciosa que desencadena la ejecuci\u00f3n remota de c\u00f3digo al explotar la funcionalidad de descarga de vCard del plugin con una solicitud especialmente dise\u00f1ada."}], "id": "CVE-2020-37071", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-03T22:16:22.300", "references": [{"source": "disclosure@vulncheck.com", "url": "https://craftcms.com/"}, {"source": "disclosure@vulncheck.com", "url": "https://gitlab.com/wguest/craftcms-vcard-exploit"}, {"source": "disclosure@vulncheck.com", "url": "https://plugins.craftcms.com/vcard"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/48492"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/craftcms-vcard-plugin-remote-code-execution"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"created": "2026-02-04T12:05:04.799369+00:00", "updated": "2026-02-04T12:05:04.799394+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$craftcms"]}