CVE-2020-36996
Unknown Unknown - Not Provided
Persistent XSS in PHPFusion 9.03.50 print.php Allows Script Execution

Publication date: 2026-01-30

Last updated on: 2026-01-30

Assigner: VulnCheck

Description
PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. Attackers can inject malicious JavaScript through forum messages that will execute when the print page is generated, allowing script execution in victim browsers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-30
Last Modified
2026-01-30
Generated
2026-06-16
AI Q&A
2026-01-30
EPSS Evaluated
2026-06-15
NVD
CVE-2020-36996
EUVD
EUVD-2020-30963
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
phpfusion phpfusion to 9.03.50 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2020-36996 is a persistent cross-site scripting (XSS) vulnerability in PHPFusion version 9.03.50. It occurs because the print.php page fails to properly sanitize user-submitted message content in forum posts. Attackers can inject malicious JavaScript code into forum messages, which then executes in the browsers of users who view the print page. This happens because the print functionality uses a function that processes the message text but does not neutralize or escape harmful HTML or JavaScript, allowing persistent script injection. [1, 2]

Impact Analysis

This vulnerability can allow attackers to execute malicious JavaScript in the browsers of users who view the print page of forum threads. This can lead to unauthorized actions such as stealing user credentials, session hijacking, or performing actions on behalf of the victim user. Since the malicious script is stored persistently in forum messages, it can affect multiple users over time, potentially compromising user data and trust. [1, 2]

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious JavaScript code injected into forum messages that appear on the print.php page. One way to detect it is to review forum messages for suspicious HTML tags such as <img onerror=...> or other script injections. Additionally, you can test the print.php page by accessing URLs like <ROOT>/print.php?type=F&item_id=1&rowstart=0 and inspecting the output for unescaped HTML or JavaScript code. There are no specific commands provided, but manual inspection or automated scanning tools targeting stored XSS in the print.php output can be used. [2]

Mitigation Strategies

Immediate mitigation steps include disabling or restricting access to the print.php page to prevent execution of injected scripts, and reviewing forum messages for malicious content to remove any injected scripts. Applying patches or updates from PHPFusion that fix the sanitization issue in print.php is recommended. If patching is not immediately possible, implementing web application firewall (WAF) rules to block or sanitize malicious input or output related to print.php can help reduce risk. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-36996. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart