CVE-2020-37054

MEDIUM

Navigate CMS 2.8.7 - CSRF

Title source: llm

Description

Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation.

Exploits (1)

exploitdb WORKING POC

by Gus Ralph · textwebappsphp

https://www.exploit-db.com/exploits/48548

View Code ZIP pw:eip

References (4)

[Product] https://sourceforge.net/projects/navigatecms

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/48548

[Product] https://www.navigatecms.com/en/home

[Broken Link] https://www.vulncheck.com/advisories/navigate-cms-cross-site-request-forgery

Scores

CVSS v3 4.3

EPSS 0.0001

EPSS Percentile 0.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-352

Status published

Affected Products (1)

naviwebs/navigate_cms

Timeline

Published Jan 30, 2026

Tracked Since Feb 18, 2026