LiveActive security incident?Get immediate response
CVE archive

January 2020

Browse CVE records published in January 2020, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 1592 matching CVEs · Page 3 of 32.

High · CVSS 8.4

CVE-2020-37029: FTPDummy 4.80 - Local Buffer Overflow

FTPDummy 4.80 contains a local buffer overflow vulnerability in its preference file handling that allows attackers to execute arbitrary code. Attackers can craft a malicious preference file with carefully constructed shellcode to trigger a structured exception handler overwrite and execute system commands.

Published Jan 30, 2026 · Updated Feb 3, 2026

Critical · CVSS 9.8

CVE-2020-37027: Sickbeard 0.1 - Remote Command Injection

Sickbeard alpha contains a remote command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands through the extra scripts configuration. Attackers can set malicious commands in the extra scripts field and trigger processing to execute remote code on the vulnerable Sickbeard installation.

Published Jan 30, 2026 · Updated Feb 3, 2026

Medium · CVSS 5.3

CVE-2020-37026: Sickbeard 0.1 - Cross-Site Request Forgery

Sickbeard alpha contains a cross-site request forgery vulnerability that allows attackers to disable authentication by submitting crafted configuration parameters. Attackers can trick users into submitting a malicious form that clears web username and password, effectively removing authentication protection.

Published Jan 30, 2026 · Updated Feb 3, 2026

High · CVSS 8.4

CVE-2020-37025: Port Forwarding Wizard 4.8.0 - Buffer Overflow

Port Forwarding Wizard 4.8.0 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code through a long request in the Register feature. Attackers can craft a malicious payload with an egg tag and overwrite SEH handlers to potentially execute shellcode on vulnerable Windows systems.

Published Jan 30, 2026 · Updated Feb 3, 2026

High · CVSS 8.4

CVE-2020-37024: Nidesoft DVD Ripper 5.2.18 - Local Buffer Overflow

Nidesoft DVD Ripper 5.2.18 contains a local buffer overflow vulnerability in the License Code registration parameter that allows attackers to execute arbitrary code. Attackers can craft a malicious payload and paste it into the License Code field to trigger a stack-based buffer overflow and execute shellcode.

Published Jan 30, 2026 · Updated Feb 3, 2026

High · CVSS 8.8

CVE-2020-37023: Koken CMS 0.22.24 - Arbitrary File Upload

Koken CMS 0.22.24 contains a file upload vulnerability that allows authenticated attackers to bypass file extension restrictions by renaming malicious PHP files. Attackers can upload PHP files with system command execution capabilities by manipulating the file upload request through a web proxy and changing the file extension.

Published Jan 30, 2026 · Updated Feb 3, 2026

High · CVSS 7.5

CVE-2020-37038: Code Blocks 20.03 - Denial Of Service

Code Blocks 20.03 contains a denial of service vulnerability that allows attackers to crash the application by manipulating input in the FSymbols search field. Attackers can paste a large payload of 5000 repeated characters into the search field to trigger an application crash.

Published Jan 30, 2026 · Updated Feb 2, 2026

High · CVSS 8.4

CVE-2020-37036: RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow

RM Downloader 2.50.60 contains a local buffer overflow vulnerability in the 'Load' parameter that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious payload with an egg hunter technique to bypass memory protections and execute commands like launching calc.exe.

Published Jan 30, 2026 · Updated Feb 2, 2026

High · CVSS 8.8

CVE-2020-37035: e-learning Php Script 0.1.0 - 'search' SQL Injection

e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to manipulate database queries through unvalidated user input. Attackers can inject malicious SQL code in the 'search' parameter to potentially extract, modify, or access sensitive database information.

Published Jan 30, 2026 · Updated Feb 2, 2026

High · CVSS 8.7

CVE-2020-37034: HelloWeb 2.0 - Arbitrary File Download

HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to access sensitive configuration and system files.

Published Jan 30, 2026 · Updated Feb 2, 2026

High · CVSS 8.8

CVE-2020-37033: Infor Storefront B2B 1.0 - 'usr_name' SQL Injection

Infor Storefront B2B 1.0 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'usr_name' parameter in login requests. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'usr_name' parameter to potentially extract or modify database information.

Published Jan 30, 2026 · Updated Feb 2, 2026

High · CVSS 8.4

CVE-2020-37040: Code Blocks 17.12 - 'File Name' Local Buffer Overflow

Code Blocks 17.12 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting a malicious file name with Unicode characters. Attackers can trigger the vulnerability by pasting a specially crafted payload into the file name field during project creation, potentially executing system commands like calc.exe.

Published Jan 30, 2026 · Updated Feb 2, 2026

Critical · CVSS 9.8

CVE-2020-37050: Quick Player 1.3 - '.m3l' Buffer Overflow

Quick Player 1.3 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting a malicious .m3l file with carefully constructed payload. Attackers can trigger the vulnerability by loading a specially crafted file through the application's file loading mechanism, potentially enabling remote code execution.

Published Jan 30, 2026 · Updated Feb 2, 2026

Medium · CVSS 5.3

CVE-2020-37046: Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery

Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. Attackers can craft a malicious HTML form to submit admin credentials and create new administrative accounts without the victim's consent.

Published Jan 30, 2026 · Updated Feb 2, 2026

Critical · CVSS 9.8

CVE-2020-37056: Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass

Crystal Shard http-protection 0.2.0 contains an IP spoofing vulnerability that allows attackers to bypass protection middleware by manipulating request headers. Attackers can hardcode consistent IP values across X-Forwarded-For, X-Client-IP, and X-Real-IP headers to circumvent security checks and gain unauthorized access.

Published Jan 30, 2026 · Updated Feb 2, 2026

Critical · CVSS 9.8

CVE-2020-37052: AirControl 1.4.2 - PreAuth Remote Code Execution

AirControl 1.4.2 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through malicious Java expression injection. Attackers can exploit the /.seam endpoint by crafting a specially constructed URL with embedded Java expressions to run commands with the application's system privileges.

Published Jan 30, 2026 · Updated Feb 2, 2026

High · CVSS 8.5

CVE-2020-37060: Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path

Atomic Alarm Clock 6.3 contains a local privilege escalation vulnerability in its service configuration that allows attackers to execute arbitrary code with SYSTEM privileges. Attackers can exploit the unquoted service path by placing a malicious executable named 'Program.exe' to gain persistent system-level access.

Published Jan 30, 2026 · Updated Jan 30, 2026

High · CVSS 8.5

CVE-2020-37058: Andrea ST Filters Service 1.0.64.7 - Unquoted service path

Andrea ST Filters Service 1.0.64.7 contains an unquoted service path vulnerability in its Windows service configuration. Local attackers can exploit the unquoted path to inject malicious code that will execute with elevated LocalSystem privileges during service startup.

Published Jan 30, 2026 · Updated Jan 30, 2026

High · CVSS 7.5

CVE-2020-36943: aSc TimeTables 2021.6.2 - Denial of Service

aSc TimeTables 2021.6.2 contains a denial of service vulnerability that allows attackers to crash the application by overwriting subject title fields with excessive data. Attackers can generate a 10,000-character buffer and paste it into the subject title to trigger application instability and potential crash.

Published Jan 28, 2026 · Updated Jan 29, 2026

High · CVSS 8.8

CVE-2020-36945: WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass

WebDamn User Registration Login System contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating email credentials. Attackers can inject the payload '<email>' OR '1'='1' in both username and password fields to gain unauthorized access to the user panel.

Published Jan 28, 2026 · Updated Jan 29, 2026

Critical · CVSS 9.8

CVE-2020-36964: YATinyWinFTP - Denial of Service

YATinyWinFTP contains a denial of service vulnerability that allows attackers to crash the FTP service by sending a 272-byte buffer with a trailing space. Attackers can exploit the service by connecting and sending a malformed command that triggers a buffer overflow and service crash.

Published Jan 28, 2026 · Updated Jan 29, 2026

High · CVSS 8.4

CVE-2020-36965: docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)

docPrint Pro 8.0 contains a local buffer overflow vulnerability in the 'Add URL' input field that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious payload that triggers a structured exception handler (SEH) overwrite to execute shellcode and gain remote system access.

Published Jan 28, 2026 · Updated Jan 29, 2026

High · CVSS 8.5

CVE-2020-36976: Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path

Acer Global Registration Service 1.0.0.3 contains an unquoted service path vulnerability in its service configuration that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:\Program Files (x86)\Acer\Registration\ to inject malicious executables that would run with elevated LocalSystem privileges during service startup.

Published Jan 27, 2026 · Updated Jan 29, 2026

High · CVSS 8.5

CVE-2020-36977: Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path

Wondershare Driver Install Service contains an unquoted service path vulnerability in the ElevationService executable that allows local attackers to potentially inject malicious code. Attackers can exploit the unquoted path to replace the service binary with a malicious executable, enabling privilege escalation to LocalSystem account.

Published Jan 27, 2026 · Updated Jan 29, 2026

High · CVSS 7.5

CVE-2020-37008: EasyPMS 1.0.0 - Authentication Bypass

EasyPMS 1.0.0 contains an authentication bypass vulnerability that allows unprivileged users to manipulate SQL queries in JSON requests to access admin user information. Attackers can exploit weak input validation by injecting single quotes in ID parameters and modify admin user passwords without proper token authentication.

Published Jan 29, 2026 · Updated Jan 29, 2026

Critical · CVSS 9.8

CVE-2020-37012: Tea LaTex 1.0 - Remote Code Execution

Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when processed by the application's tex2png API action.

Published Jan 29, 2026 · Updated Jan 29, 2026

High · CVSS 8.4

CVE-2020-37013: Audio Playback Recorder 3.2.2 - Local Buffer Overflow (SEH)

Audio Playback Recorder 3.2.2 contains a local buffer overflow vulnerability in the eject and registration parameters that allows attackers to execute arbitrary code. Attackers can craft malicious payloads and overwrite Structured Exception Handler (SEH) to execute shellcode when pasting specially crafted input into the application's input fields.

Published Jan 29, 2026 · Updated Jan 29, 2026

Critical · CVSS 9.8

CVE-2020-36997: BacklinkSpeed 2.4 - Buffer Overflow PoC (SEH)

BacklinkSpeed 2.4 contains a buffer overflow vulnerability that allows attackers to corrupt the Structured Exception Handler (SEH) chain through malicious file import. Attackers can craft a specially designed payload file to overwrite SEH addresses, potentially executing arbitrary code and gaining control of the application.

Published Jan 29, 2026 · Updated Jan 29, 2026

High · CVSS 8.8

CVE-2020-36999: elaniin CMS 1.0 - Authentication Bypass

Elaniin CMS 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard by manipulating the login page with SQL injection. Attackers can bypass authentication by sending crafted email and password parameters with '=''or' payload to login.php, granting unauthorized access to the system.

Published Jan 29, 2026 · Updated Jan 29, 2026

Critical · CVSS 9.8

CVE-2020-37000: Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)

Free MP3 CD Ripper 2.8 contains a stack buffer overflow vulnerability that allows remote attackers to execute arbitrary code by crafting a malicious WAV file with oversized payload. Attackers can leverage a specially crafted exploit file with shellcode, SEH bypass, and egghunter technique to achieve remote code execution on vulnerable Windows systems.

Published Jan 29, 2026 · Updated Jan 29, 2026

High · CVSS 7.5

CVE-2020-36995: Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service

Mocha Telnet Lite for iOS 4.2 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the user configuration input. Attackers can overwrite the 'User' field with 350 bytes of repeated characters to trigger an application crash and prevent normal functionality.

Published Jan 29, 2026 · Updated Jan 29, 2026

High · CVSS 8.2

CVE-2020-37006: berliCRM 1.0.24 - 'src_record' SQL Injection

berliCRM 1.0.24 contains a SQL injection vulnerability in the 'src_record' parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through a crafted POST request to the index.php endpoint to potentially extract or modify database information.

Published Jan 29, 2026 · Updated Jan 29, 2026

High · CVSS 7.5

CVE-2020-37015: Ruijie Networks Switch eWeb S29_RGOS 11.4 - Directory Traversal

Ruijie Networks Switch eWeb S29_RGOS 11.4 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by manipulating file path parameters. Attackers can exploit the /download.do endpoint with '../' sequences to retrieve system configuration files containing credentials and network settings.

Published Jan 29, 2026 · Updated Jan 29, 2026

High · CVSS 8.5

CVE-2020-37016: BarcodeOCR 19.3.6 - 'BarcodeOCR' Unquoted Service Path

BarcodeOCR 19.3.6 contains an unquoted service path vulnerability that allows local attackers to execute code with elevated privileges during system startup. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will run with LocalSystem privileges.

Published Jan 29, 2026 · Updated Jan 29, 2026

High · CVSS 8.7

CVE-2020-36973: PDW File Browser 1.3 - Remote Code Execution

PDW File Browser 1.3 contains a remote code execution vulnerability that allows authenticated users to upload and rename webshell files to arbitrary web server locations. Attackers can upload a .txt webshell, rename it to .php, and move it to accessible directories using double-encoded path traversal techniques.

Published Jan 28, 2026 · Updated Jan 28, 2026

High · CVSS 8.5

CVE-2020-36980: SAntivirus IC 10.0.21.61 - 'SAntivirusIC' Unquoted Service Path

SAntivirus IC 10.0.21.61 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted executable path to inject malicious files in the service binary path, enabling privilege escalation to system-level permissions.

Published Jan 27, 2026 · Updated Jan 28, 2026

High · CVSS 8.5

CVE-2020-36984: EPSON 1.124 - 'seksmdb.exe' Unquoted Service Path

EPSON 1.124 contains an unquoted service path vulnerability in the SENADB service that allows local attackers to execute code with elevated system privileges. Attackers can exploit the unquoted path in C:\Program Files (x86)\EPSON_P2B\Printer Software\Status Monitor\ to inject malicious executables that will run with LocalSystem permissions.

Published Jan 28, 2026 · Updated Jan 28, 2026

High · CVSS 8.5

CVE-2020-36986: Prey 1.9.6 - "CronService" Unquoted Service Path

Prey 1.9.6 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the CronService to insert malicious code that would execute during application startup or system reboot.

Published Jan 28, 2026 · Updated Jan 28, 2026

High · CVSS 8.5

CVE-2020-36987: Program Access Controller v1.2.0.0 - 'PACService.exe' Unquoted Service Path

Program Access Controller 1.2.0.0 contains an unquoted service path vulnerability in PACService.exe that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions.

Published Jan 28, 2026 · Updated Jan 28, 2026

High · CVSS 8.5

CVE-2020-36989: ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path

ForensiT AppX Management Service 2.2.0.4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem account permissions during service startup.

Published Jan 28, 2026 · Updated Jan 28, 2026

High · CVSS 8.5

CVE-2020-36990: Input Director 1.4.3 - 'Input Director' Unquoted Service Path

Input Director 1.4.3 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions.

Published Jan 28, 2026 · Updated Jan 28, 2026

High · CVSS 8.5

CVE-2020-36991: ShareMouse 5.0.43 - 'ShareMouse Service' Unquoted Service Path

ShareMouse 5.0.43 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the insecure service path configuration by placing malicious executables in specific system directories to gain elevated access during service startup.

Published Jan 28, 2026 · Updated Jan 28, 2026

High · CVSS 8.8

CVE-2020-36938: WinAVR Version 20100110 - Insecure Folder Permissions

WinAVR version 20100110 contains an insecure permissions vulnerability that allows authenticated users to modify system files and executables. Attackers can leverage the overly permissive access controls to potentially modify critical DLLs and executable files in the WinAVR installation directory.

Published Jan 27, 2026 · Updated Jan 27, 2026

Critical · CVSS 9.8

CVE-2020-36940: Easy CD & DVD Cover Creator 4.13 - Denial of Service

Easy CD & DVD Cover Creator 4.13 contains a buffer overflow vulnerability in the serial number input field that allows attackers to crash the application. Attackers can generate a 6000-byte payload and paste it into the serial number field to trigger an application crash.

Published Jan 27, 2026 · Updated Jan 27, 2026

High · CVSS 8.8

CVE-2020-36942: Victor CMS 1.0 - File Upload To RCE

Victor CMS 1.0 contains a file upload vulnerability that allows authenticated users to upload malicious PHP files through the profile image upload feature. Attackers can upload a PHP shell to the /img directory and execute system commands by accessing the uploaded file via web browser.

Published Jan 27, 2026 · Updated Jan 27, 2026

High · CVSS 7.5

CVE-2020-36949: TapinRadio 2.13.7 - Denial of Service

TapinRadio 2.13.7 contains a denial of service vulnerability in the application proxy settings that allows attackers to crash the program by overflowing input fields. Attackers can paste a large buffer of 20,000 characters into the username and address fields to cause the application to become unresponsive and require reinstallation.

Published Jan 27, 2026 · Updated Jan 27, 2026

High · CVSS 8.5

CVE-2020-36981: Motorola Device Manager 2.4.5 - 'ForwardDaemon.exe ' Unquoted Service Path

Motorola Device Manager 2.4.5 contains an unquoted service path vulnerability in the PST Service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in ForwardDaemon.exe to inject malicious code that will execute with elevated system privileges during service startup.

Published Jan 27, 2026 · Updated Jan 27, 2026

High · CVSS 8.5

CVE-2020-36982: Motorola Device Manager 2.5.4 - 'MotoHelperService.exe' Unquoted Service Path

Motorola Device Manager 2.5.4 contains an unquoted service path vulnerability in the MotoHelperService.exe service that allows local users to potentially inject malicious code. Attackers can exploit the unquoted path in the service configuration to execute arbitrary code with elevated system privileges during service startup.

Published Jan 27, 2026 · Updated Jan 27, 2026