CVE-2020-37059

HIGH

Popcorn Time 6.2.1.14 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37059. PoCs published by Uriel Yochpaz.

AI-analyzed exploit summary This is a writeup describing an unquoted service path vulnerability in Popcorn Time 6.2.1.14, which could allow local privilege escalation (LPE) if an attacker can place an executable in a specific path. No actual exploit code is provided.

Description

Popcorn Time 6.2.1.14 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can insert malicious executables in Program Files (x86) or system root directories to be executed with SYSTEM-level permissions during service startup.

Exploits (1)

exploitdb WRITEUP
by Uriel Yochpaz · textlocalwindows
https://www.exploit-db.com/exploits/48378

This is a writeup describing an unquoted service path vulnerability in Popcorn Time 6.2.1.14, which could allow local privilege escalation (LPE) if an attacker can place an executable in a specific path. No actual exploit code is provided.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Theoretical
Target: Popcorn Time 6.2.1.14 and prior
Auth required
Prerequisites: Local access to the system · Ability to write executables to 'C:\' or 'Program Files (x86)'
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/48378
Various Sources product
https://getpopcorntime.is

Scores

CVSS v3 7.8
EPSS 0.0013
EPSS Percentile 3.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-428
Status published
Published Jan 30, 2026
Tracked Since Feb 18, 2026