CVE-2020-35734
Description
Sruu.pl in Batflat 1.3.6 allows an authenticated user to perform code injection (and consequently Remote Code Execution) via the input fields of the Users tab. To exploit this, one must login to the administration panel and edit an arbitrary user's data (username, displayed name, etc.). NOTE: This vulnerability only affects products that are no longer supported by the maintainer
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Batflat 1.3.6 allows authenticated admin users to inject PHP code via unsanitized user profile fields, leading to remote code execution.
Vulnerability
Batflat CMS version 1.3.6 contains a code injection vulnerability in the sruu.pl component, specifically in the Users tab of the administration panel. Input fields such as the "Displayed name" are not sanitized, allowing an authenticated user with access to the Users tab to inject arbitrary PHP code. This is confirmed in the official issue tracker [1].
Exploitation
An attacker must first authenticate to the Batflat administration panel. Once logged in, they navigate to the Users tab and edit an existing user (or create a new one). By entering PHP code into fields like "Displayed name", the code is saved and subsequently executed on the server. No additional privileges beyond standard admin access are required. The injected code runs with the web server's privileges.
Impact
Successful exploitation results in arbitrary PHP code execution on the web server, leading to full remote code execution (RCE). The attacker can then compromise the entire CMS installation, access or modify sensitive data, and potentially pivot to other systems.
Mitigation
The maintainer has marked Batflat as unsupported (end-of-life). No official patch has been released for version 1.3.6. As of the publication date (2021-02-15), users should upgrade to a maintained fork or migrate away from the software entirely. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. Workarounds include restricting access to the admin panel to trusted users only.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sruu.pl/Batflatdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- packetstormsecurity.com/files/161457/Batflat-CMS-1.3.6-Remote-Code-Execution.htmlmitrex_refsource_MISC
- batflat.org/en/changelogmitrex_refsource_MISC
- github.com/sruupl/batflat/issues/98mitrex_refsource_MISC
- secator.pl/index.php/2021/02/15/batflat-v-1-3-6-authenticated-remote-code-execution-public-disclosure/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.