CVE-2020-37137

PHP-Fusion 9.03.50 - 'panels.php' Eval Injection

PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the 'add_panel_form()' function that allows attackers to execute arbitrary code through an eval() function with unsanitized POST data. Attackers can exploit the vulnerability by sending crafted panel_content POST parameters to the panels.php administration endpoint to execute malicious code.

We have discovered 2 live websites that are affected by CVE-2020-37137.

Run a Free Instant Scan



Affected Software

Product  PHPFusion
Category Content Management System
Vulnerable Domains2 live websites (1.12% of PHPFusion install base)
Vulnerable Versions
  • from 9.3.50 through 9.3.50
Vulnerable Versions Count1 versions ( 5.00% of all versions)



Details

  • Published - Feb 5, 2026
  • Updated - Feb 5, 2026

Credits

  • Unkn0wn (finder)

Website Distribution by Country

Number of websites using CVE-2020-37137
Germany1 websites
Hungary1 websites

Website Distribution by TLD

Number of websites using CVE-2020-37137
.de1 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2020-37137

Top websites that are affected by CVE-2020-37137. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
**********************.de Germany**,***,***
**********.hu Hungary**,***,***
See full domain list

FAQ

A total of 2 websites have been identified as vulnerable to CVE-2020-37137, based on global website indexing conducted by WebTechSurvey.
The PHPFusion is affected by the CVE-2020-37137 vulnerability.
PHPFusion versions up to and including 9.3.50 are vulnerable to CVE-2020-37137.