CVE-2020-37241

MEDIUM 5.3

bloofoxCMS 0.5.2.1 Cross-Site Request Forgery via user add

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can craft hidden forms targeting the admin user creation endpoint to add new administrative accounts with arbitrary credentials without requiring explicit user consent.

CWE	CWE-352
Vendor	bloofox
Product	bloofoxcms
Published	May 16, 2026

Stay Ahead of the Next One

Get instant alerts for bloofox bloofoxcms

Be the first to know when new medium vulnerabilities affecting bloofox bloofoxcms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

Bloofox / bloofoxCMS

0.5.1.0 ≤ 0.5.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/49507 bloofox.com: https://www.bloofox.com/ github.com: https://github.com/alexlang24/bloofoxCMS/releases/tag/0.5.2.1 vulncheck.com: https://www.vulncheck.com/advisories/bloofoxcms-cross-site-request-forgery-via-user-add

Credits

LiPeiYi