CVE-2020-37105

HIGH

PMB 5.6 - Authenticated SQL Injection via logid Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37105. PoCs published by 41-trk.

AI-analyzed exploit summary This is a writeup describing a SQL injection vulnerability in PMB 5.6 via the 'logid' parameter in the admin/sauvegarde/download.php file. It includes a proof-of-concept URL and instructions for using SQLMap to exploit the vulnerability.

Description

PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the 'logid' parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download.php endpoint with manipulated logid values to interact with the database.

Exploits (1)

exploitdb WRITEUP
by 41-trk · textwebappsphp
https://www.exploit-db.com/exploits/48356

This is a writeup describing a SQL injection vulnerability in PMB 5.6 via the 'logid' parameter in the admin/sauvegarde/download.php file. It includes a proof-of-concept URL and instructions for using SQLMap to exploit the vulnerability.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: PMB <= 5.6
Auth required
Prerequisites: Valid user session cookie · Access to the admin interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/48356
Various Sources product
http://www.sigb.net
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/pmb-logid-sql-injection

Scores

CVSS v3 7.1
EPSS 0.0022
EPSS Percentile 12.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
redmine/PMB 5.6
Published Feb 03, 2026
Tracked Since Feb 18, 2026