CVE-2020-37152

UNKNOWN 0.0

PHP-Fusion 9.03.50 panels.php - Cross-Site Scripting (XSS)

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

PHP-Fusion 9.03.50 panels.php is vulnerable to cross-site scripting (XSS) via the 'panel_content' POST parameter. The application fails to properly sanitize user input before rendering it in the browser, allowing attackers to inject arbitrary JavaScript. This can be exploited by submitting crafted input to the 'panel_content' field in panels.php, resulting in execution of malicious scripts in the context of the affected site.

CWE	CWE-79
Vendor	php-fusion
Product	php-fusion
Published	Feb 5, 2026
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for php-fusion php-fusion

Be the first to know when new unknown vulnerabilities affecting php-fusion php-fusion are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

PHP-Fusion / PHP-Fusion

9.03.50

References

NVD ↗ CVE.org ↗ EPSS Data ↗

php-fusion.co.uk: https://www.php-fusion.co.uk/ exploit-db.com: https://www.exploit-db.com/exploits/48299 vulncheck.com: https://www.vulncheck.com/advisories/php-fusion-panelsphp-cross-site-scripting-xss

Credits

Unkn0wn (exploit author)