CVE-2020-37090

CRITICAL

School ERP Pro 1.0 - RCE

Title source: llm

Description

School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabling remote code execution on the server.

Exploits (1)

exploitdb WORKING POC

by Besim · textwebappsphp

https://www.exploit-db.com/exploits/48392

View Code ZIP pw:eip

References (4)

[Product] https://web.archive.org/web/20190612111732/https://sourceforge.net/projects/school-erp-ultimate/

[Product] https://web.archive.org/web/20200129123503/http://arox.in/

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/48392

[Third Party Advisory] https://www.vulncheck.com/advisories/school-erp-pro-remote-code-execution

Scores

CVSS v3 9.8

EPSS 0.0104

EPSS Percentile 77.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

arox/school_erp_pro 1.0

Published Feb 03, 2026

Tracked Since Feb 18, 2026