CVE-2020-13756

CRITICAL EXPLOITED IN THE WILD

Sabberworm Php Css Parser < 8.3.1 - Code Injection

Title source: rule

Description

Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.

Exploits (1)

nomisec WORKING POC

by KrE80r · poc

https://github.com/KrE80r/CVE-2020-13756-env

View Code ZIP pw:eip

References (5)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/157923/Sabberworm-PHP-CSS-Code-Injection.html

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2020/Jun/7

[Patch, Third Party Advisory] https://github.com/sabberworm/PHP-CSS-Parser/commit/2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4

[Release Notes, Third Party Advisory] https://github.com/sabberworm/PHP-CSS-Parser/releases/tag/8.3.1

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/10/msg00013.html

Scores

CVSS v3 9.8

EPSS 0.2655

EPSS Percentile 96.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2022-01-12

InTheWild.io 2022-01-12

CWE

CWE-94

Status published

Products (2)

sabberworm/php-css-parser 8.3.0 - 8.3.1Packagist

sabberworm/php_css_parser < 8.3.1

Published Jun 03, 2020

Tracked Since Feb 18, 2026