CVE-2020-37072

HIGH

Victor CMS 1.0 - Stored Cross-Site Scripting via Comment Author Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37072. PoCs published by Kishan Lal Choudhary.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Victor CMS 1.0 via the 'comment_author' parameter. The PoC includes a direct HTTP request and a CSRF HTML form to trigger the payload.

Description

Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment_author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers.

Exploits (1)

exploitdb WORKING POC
by Kishan Lal Choudhary · textwebappsphp
https://www.exploit-db.com/exploits/48484

This exploit demonstrates a stored XSS vulnerability in Victor CMS 1.0 via the 'comment_author' parameter. The PoC includes a direct HTTP request and a CSRF HTML form to trigger the payload.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Victor CMS 1.0
No auth needed
Prerequisites: Access to the comment submission endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry exploit
https://www.exploit-db.com/exploits/48484

Scores

CVSS v3 7.2
EPSS 0.0023
EPSS Percentile 14.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
victor_cms_project/victor_cms 1.0
Published Feb 03, 2026
Tracked Since Feb 18, 2026