CVE-2020-7799

HIGH

FusionAuth <1.11.0 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-7799. PoCs published by ianxtianxt, Pikaqi.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2020-7799, which targets a Freemarker template injection vulnerability in FusionAuth. The PoC sends a crafted POST request to execute arbitrary commands (e.g., 'cat /etc/passwd') via the 'emailTemplate.defaultHtmlTemplate' parameter.

Description

An issue was discovered in FusionAuth before 1.11.0. An authenticated user, allowed to edit e-mail templates (Home -> Settings -> Email Templates) or themes (Home -> Settings -> Themes), can execute commands on the underlying operating system by abusing freemarker.template.utility.Execute in the Apache FreeMarker engine that processes custom templates.

Exploits (2)

nomisec WORKING POC 3 stars
by ianxtianxt · poc
https://github.com/ianxtianxt/CVE-2020-7799

This repository contains a functional exploit for CVE-2020-7799, which targets a Freemarker template injection vulnerability in FusionAuth. The PoC sends a crafted POST request to execute arbitrary commands (e.g., 'cat /etc/passwd') via the 'emailTemplate.defaultHtmlTemplate' parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FusionAuth (versions affected by CVE-2020-7799)
Auth required
Prerequisites: Valid JSESSIONID cookie · Access to the target's '/ajax/email/template/preview' endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Pikaqi · poc
https://github.com/Pikaqi/cve-2020-7799

This repository contains a functional exploit for CVE-2020-7799, which targets a Freemarker template injection vulnerability in FusionAuth. The script sends a crafted POST request to execute arbitrary commands (e.g., 'cat /etc/passwd') via the 'emailTemplate.defaultHtmlTemplate' parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FusionAuth (versions affected by CVE-2020-7799)
Auth required
Prerequisites: Valid JSESSIONID cookie · Access to the target's '/ajax/email/template/preview' endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Release Notes, Vendor Advisory x_refsource_misc
https://fusionauth.io/docs/v1/tech/release-notes
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2020/Jan/39
Third Party Advisory x_refsource_misc
https://lab.mediaservice.net/advisory/2020-03-fusionauth.txt

Scores

CVSS v3 7.2
EPSS 0.1981
EPSS Percentile 97.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-917
Status published
Products (1)
fusionauth/fusionauth < 1.11.0
Published Jan 28, 2020
Tracked Since Feb 18, 2026