CVE-2020-37071
CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution
CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th
CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download functionality with a specially crafted request.
| CWE | CWE-502 |
| Vendor | craftcms |
| Product | craftcms |
| Published | Feb 3, 2026 |
| Last Updated | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for craftcms craftcms
Be the first to know when new critical vulnerabilities affecting craftcms craftcms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
CraftCMS / CraftCMS
1.0.0
References
exploit-db.com: https://www.exploit-db.com/exploits/48492 craftcms.com: https://craftcms.com/ plugins.craftcms.com: https://plugins.craftcms.com/vcard gitlab.com: https://gitlab.com/wguest/craftcms-vcard-exploit vulncheck.com: https://www.vulncheck.com/advisories/craftcms-vcard-plugin-remote-code-execution
Credits
Wade Guest