CVE-2020-36996

MEDIUM

PHPFusion < 9.03.50 - Stored Cross-Site Scripting in print.php via Forum Message

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-36996. PoCs published by coiffeur.

AI-analyzed exploit summary This writeup describes a persistent XSS vulnerability in PHPFusion 9.03.50, where the print functionality fails to sanitize user input, allowing JavaScript execution via injected HTML in thread messages.

Description

PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. Attackers can inject malicious JavaScript through forum messages that will execute when the print page is generated, allowing script execution in victim browsers.

Exploits (1)

exploitdb WRITEUP
by coiffeur · textwebappsphp
https://www.exploit-db.com/exploits/48497

This writeup describes a persistent XSS vulnerability in PHPFusion 9.03.50, where the print functionality fails to sanitize user input, allowing JavaScript execution via injected HTML in thread messages.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PHPFusion v9.03.50
Auth required
Prerequisites: Authenticated user access to create or edit thread messages
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/48497
Various Sources product
https://www.php-fusion.co.uk/home.php

Scores

CVSS v3 6.4
EPSS 0.0022
EPSS Percentile 12.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Php-Fusion/PHPFusion < 9.03.50
Published Jan 30, 2026
Tracked Since Feb 18, 2026