CVE-2020-17496

CRITICAL KEV NUCLEI

vBulletin 5.5.4-5.6.2 - Remote Command Execution via subWidgets Data in AJAX Widget Renderer

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-17496 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 3 public exploits from researchers including ludy-dev, ctlyz123, including a Metasploit module exploits/multi/http/vbulletin_widget_template_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2020-17496, a remote code execution vulnerability in vBulletin 5.x via the widgetConfig parameter in the ajax/render/widget_tabbedcontainer_tab_panel endpoint. It sends a crafted POST request to execute the 'id' command and checks the response for a successful exploit.

Description

vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.

Exploits (3)

nomisec WORKING POC 3 stars
by ludy-dev · remote
https://github.com/ludy-dev/vBulletin_5.x-tab_panel-RCE

This PoC exploits CVE-2020-17496, a remote code execution vulnerability in vBulletin 5.x via the widgetConfig parameter in the ajax/render/widget_tabbedcontainer_tab_panel endpoint. It sends a crafted POST request to execute the 'id' command and checks the response for a successful exploit.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: vBulletin 5.5.4 to 5.6.2
No auth needed
Prerequisites: Network access to the target vBulletin instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by ctlyz123 · poc
https://github.com/ctlyz123/CVE-2020-17496

This repository contains a working proof-of-concept exploit for CVE-2020-17496, a remote code execution vulnerability in vBulletin 5.6.0. The exploit leverages the widget rendering functionality to execute arbitrary PHP code via the `subWidgets[0][template]` and `subWidgets[0][config][code]` parameters.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: vBulletin 5.6.0
No auth needed
Prerequisites: Access to the vBulletin instance · Widget rendering endpoint enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/vbulletin_widget_template_rce.rb

This Metasploit module exploits a logic bug in vBulletin 5.x template rendering to achieve remote code execution by bypassing filters via the 'widget_tabbedcontainer_tab_panel' template and 'widget_php' argument. It supports multiple payload types including Meterpreter and command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: vBulletin 5.x
No auth needed
Prerequisites: Access to the target vBulletin instance · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

vBulletin 5.5.4 - 5.6.2- Remote Command Execution
CRITICALby pussycat0x
Shodan: http.title:"powered by vbulletin" || http.html:"powered by vbulletin" || http.component:"vbulletin" || cpe:"cpe:2.3:a:vbulletin:vbulletin"
FOFA: body="powered by vbulletin" || title="powered by vbulletin"

References (5)

Core 5

Scores

CVSS v3 9.8
EPSS 0.9418
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2020-12-14
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2020-9444
CWE
CWE-74
Status published
Products (1)
vbulletin/vbulletin 5.5.4 - 5.6.2
Published Aug 12, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026