Remote Code Execution vulnerability
Description
Nette PHP framework before patched versions allows remote code execution via specially crafted URL parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nette PHP framework before patched versions allows remote code execution via specially crafted URL parameters.
Vulnerability
Overview
CVE-2020-15227 is a code injection vulnerability in the Nette PHP framework, affecting versions prior to 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, and 3.0.6 [1]. The flaw allows an attacker to inject and execute arbitrary PHP code by passing specially formed parameters in a URL [4]. This marks the first security vulnerability discovered in Nette's 13-year history [4].
Exploitation
The attack vector is remote and requires no authentication, as the vulnerability is triggered through crafted HTTP requests [1]. The attacker must be able to send a specially formed URL to the target application, which then processes the malicious parameters, leading to code execution [4]. The exact mechanism has not been publicly detailed to prevent widespread exploitation [4].
Impact
Successful exploitation can lead to full remote code execution (RCE) on the server, potentially allowing an attacker to compromise the entire application and underlying system [1][4]. Given Nette's widespread use in PHP projects, this vulnerability poses a significant risk to unpatched installations [2].
Mitigation
Patches have been released for all affected versions, including unsupported branches, reflecting Nette's commitment to security [4]. Users are strongly advised to update to the latest patched versions: nette/application 3.0.6 (or 3.0.2.1, 3.1.0-RC2), 2.4.16, 2.3.14, and nette/nette 2.1.13, 2.0.19 [4]. The fix can be applied via Composer or by downloading updated packages [4]. A Linux script is also available for rapid patching [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nette/applicationPackagist | >= 2.2.0, < 2.2.10 | 2.2.10 |
nette/applicationPackagist | >= 2.3.0, < 2.3.14 | 2.3.14 |
nette/applicationPackagist | >= 2.4.0, < 2.4.16 | 2.4.16 |
nette/applicationPackagist | >= 3.0.0, < 3.0.6 | 3.0.6 |
nette/applicationPackagist | >= 2.0.0, < 2.0.19 | 2.0.19 |
nette/applicationPackagist | >= 2.1.0, < 2.1.13 | 2.1.13 |
Affected products
2- nette/applicationv5Range: >= 2.0.0, < 2.0.19
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-8gv3-3j7f-wg94ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15227ghsaADVISORY
- blog.nette.org/en/cve-2020-15227-potential-remote-code-execution-vulnerabilityghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/nette/application/CVE-2020-15227.yamlghsaWEB
- github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94ghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2021/04/msg00003.htmlghsamailing-listx_refsource_MLISTWEB
- packagist.org/packages/nette/applicationghsax_refsource_MISCWEB
- packagist.org/packages/nette/netteghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.