CVE-2020-37110

HIGH

60CycleCMS 2.5.2 - SQL Injection via News Title Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37110. PoCs published by Unkn0wn.

AI-analyzed exploit summary The code describes SQL injection and XSS vulnerabilities in 60CycleCMS 2.5.2, detailing affected functions and code paths in `lib.php` and `news.php`. It provides technical analysis of the vulnerabilities but does not include functional exploit code.

Description

60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. Attackers can exploit vulnerable query parameters like 'title' to inject malicious SQL code and potentially extract or modify database contents. This issue does not involve cross-site scripting.

Exploits (1)

exploitdb WRITEUP
by Unkn0wn · textwebappsphp
https://www.exploit-db.com/exploits/48177

The code describes SQL injection and XSS vulnerabilities in 60CycleCMS 2.5.2, detailing affected functions and code paths in `lib.php` and `news.php`. It provides technical analysis of the vulnerabilities but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Sqli | Xss
Complexity
Trivial
Reliability
Theoretical
Target: 60CycleCMS 2.5.2
No auth needed
Prerequisites: Access to the vulnerable web application
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/48177

Scores

CVSS v3 8.2
EPSS 0.0035
EPSS Percentile 26.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
opensourcecms/60cyclecms 2.5.2
Published Feb 03, 2026
Tracked Since Feb 18, 2026