CVE-2020-13756

CRITICAL

9.8

Description

Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published6/3/2020

Last Modified11/3/2025

Sourcenvd

Honeypot Sightings0

Affected Products

sabberworm:php_css_parser

Weaknesses (CWE)

CWE-94

References

http://packetstormsecurity.com/files/157923/Sabberworm-PHP-CSS-Code-Injection.html(cve@mitre.org)

http://seclists.org/fulldisclosure/2020/Jun/7(cve@mitre.org)

https://github.com/sabberworm/PHP-CSS-Parser/commit/2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4(cve@mitre.org)

https://github.com/sabberworm/PHP-CSS-Parser/releases/tag/8.3.1(cve@mitre.org)

http://packetstormsecurity.com/files/157923/Sabberworm-PHP-CSS-Code-Injection.html(af854a3a-2127-422b-91ae-364da2661108)

http://seclists.org/fulldisclosure/2020/Jun/7(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/sabberworm/PHP-CSS-Parser/commit/2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/sabberworm/PHP-CSS-Parser/releases/tag/8.3.1(af854a3a-2127-422b-91ae-364da2661108)

https://lists.debian.org/debian-lts-announce/2025/10/msg00013.html(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.