CVE-2020-37186

CRITICAL

Chevereto 3.13.4 - Remote Code Execution via Database Table Prefix Manipulation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37186. PoCs published by Jinny Ramsmark.

AI-analyzed exploit summary This exploit targets Chevereto (Free and Core versions) by injecting malicious PHP code into the database table prefix during installation, leading to remote code execution. It leverages file write operations to create a backdoor in 'images/license.php' and executes arbitrary commands via HTTP POST requests.

Description

Chevereto 3.13.4 Core contains a remote code execution vulnerability that allows attackers to inject malicious code during database configuration installation. Attackers can manipulate the database table prefix parameter to write a PHP shell file and execute arbitrary system commands through a crafted POST request.

Exploits (1)

exploitdb WORKING POC

by Jinny Ramsmark · pythonwebappsphp

https://www.exploit-db.com/exploits/47903

View Code ZIP pw:eip

This exploit targets Chevereto (Free and Core versions) by injecting malicious PHP code into the database table prefix during installation, leading to remote code execution. It leverages file write operations to create a backdoor in 'images/license.php' and executes arbitrary commands via HTTP POST requests.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Chevereto (1.0.0 Free - 1.1.4 Free, <= 3.13.4 Core)

No auth needed

Prerequisites: Valid database credentials · Access to the installation endpoint · PHP file write permissions

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/47903

Various Sources product

https://chevereto.com/

Various Sources product

https://github.com/Chevereto/Chevereto-Free/releases

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/chevereto-core-remote-code-execution

Scores

CVSS v3 9.8

EPSS 0.0097

EPSS Percentile 57.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

Chevere SpA/Chevereto <= 3.13.4

Published Feb 11, 2026

Tracked Since Feb 18, 2026