CVE-2020-37178

Vulnerability

Overview

CVE-2020-37178 is a denial-of-service vulnerability in KeePass Password Safe versions prior to 2.44. The flaw resides in the help system's HTML handling, where improper control of code generation (CWE-94) allows an attacker to inject malicious scripts via crafted HTML files [1][3]. When a user drags and drops such a file into the help area, the application processes it unsafely, leading to instability or crash.

Exploitation

The attack requires local access and user interaction. An attacker must convince a user to drag and drop a specially crafted HTML file into the KeePass help interface (e.g., via the "About KeePass" dialog) [1]. No authentication is needed beyond the user's session, and the CVSS v4 vector indicates low attack complexity and no privileges required [3]. The exploit does not require network access, as the file is delivered locally.

Impact

Successful exploitation results in a denial of service, causing the application to become unstable or crash. There is no indication of data exfiltration or persistent compromise; the impact is limited to availability [3]. The vulnerability does not affect the password database integrity.

Mitigation

KeePass addressed this issue in version 2.44, released in early 2020. Users should upgrade to the latest version (currently 2.61.1 as of May 2026) to ensure protection [2]. No workarounds are documented; the only reliable fix is updating the software.