CVE-2020-37078

HIGH

i-doit Open Source CMDB 1.14.1 - File Deletion

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37078. PoCs published by Besim.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file deletion vulnerability in i-doit Open Source CMDB 1.14.1 via the 'delete_import' parameter in the Import Module. The PoC shows a POST request that can delete any file on the server by specifying the filename in the 'delete_import' parameter.

Description

i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the delete_import parameter. Attackers can send a POST request to the import module with a crafted filename to remove files from the server's filesystem.

Exploits (1)

exploitdb WORKING POC
by Besim · textwebappsphp
https://www.exploit-db.com/exploits/48427

This exploit demonstrates an arbitrary file deletion vulnerability in i-doit Open Source CMDB 1.14.1 via the 'delete_import' parameter in the Import Module. The PoC shows a POST request that can delete any file on the server by specifying the filename in the 'delete_import' parameter.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: i-doit Open Source CMDB v1.14.1
Auth required
Prerequisites: Access to the Import Module · Valid session cookie (PHPSESSID)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/48427
Various Sources product
https://www.i-doit.org/

Scores

CVSS v3 8.8
EPSS 0.0032
EPSS Percentile 24.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-73
Status published
Products (1)
i-doit GmbH/i-doit Open Source CMDB 1.14.1
Published Feb 03, 2026
Tracked Since Feb 18, 2026