CVE-2020-37178
Awaiting Analysis Awaiting Analysis - Queue
Denial of Service in KeePass Help System via Malicious HTML

Publication date: 2026-02-11

Last updated on: 2026-02-12

Assigner: VulnCheck

Description
KeePass Password Safe versions before 2.44 contain a denial of service vulnerability in the help system's HTML handling. Attackers can trigger the vulnerability by dragging and dropping malicious HTML files into the help area, potentially causing application instability or crash.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-02-12
Generated
2026-06-16
AI Q&A
2026-02-11
EPSS Evaluated
2026-06-15
NVD
CVE-2020-37178
EUVD
EUVD-2020-31208
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
keepass password_safe to 2.44 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2020-37178 is a denial of service vulnerability in KeePass Password Safe versions before 2.44. It occurs due to improper handling of HTML content in the application's help system."}, {'type': 'paragraph', 'content': 'An attacker can exploit this vulnerability by dragging and dropping malicious HTML files into the help area of the application. This malicious HTML can contain embedded JavaScript payloads that cause the application to become unstable or crash.'}, {'type': 'paragraph', 'content': "The vulnerability is related to CWE-94, which involves improper control of code generation, allowing code injection through the help system's HTML handling."}] [1, 2]

Impact Analysis

This vulnerability can cause KeePass Password Safe to become unstable or crash, resulting in a denial of service condition.

In addition to denial of service, the vulnerability can potentially allow execution of arbitrary commands if ActiveX scripting is enabled, which could lead to remote code execution on Windows platforms.

  • Loss of access to the password manager during a crash or instability.
  • Potential execution of malicious code leading to further system compromise.
  • Disruption of normal application behavior, impacting productivity and security.
Compliance Impact

I don't know

Detection Guidance

This vulnerability is triggered locally by dragging and dropping malicious HTML files into the KeePass help system, causing application instability or crash.

Detection involves monitoring for unusual crashes or hangs of KeePass Password Safe versions prior to 2.44, especially when interacting with the help system.

Since the exploit requires user interaction and local access, network detection is limited.

No specific commands are provided in the resources to detect this vulnerability automatically.

Mitigation Strategies

The primary mitigation is to upgrade KeePass Password Safe to version 2.44 or later, where this vulnerability is fixed.

Avoid dragging and dropping untrusted or suspicious HTML files into the KeePass help system.

Limit user interaction with the help system or disable the help system if possible until the update is applied.

Ensure that ActiveX scripting is disabled or restricted on Windows systems to reduce risk of arbitrary code execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2020-37178. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart