{"id":"CVE-2020-5203","details":"In Fat-Free Framework 3.7.1, attackers can achieve arbitrary code execution if developers choose to pass user controlled input (e.g., $_REQUEST, $_GET, or $_POST) to the framework's Clear method.","aliases":["GHSA-hpj2-4hfj-g233"],"modified":"2026-03-14T10:31:23.911919Z","published":"2020-03-11T14:15:14.623Z","references":[{"type":"ADVISORY","url":"https://github.com/bcosca/fatfree/releases"},{"type":"FIX","url":"https://github.com/bcosca/fatfree-core/commit/dae95a0baf3963a9ef87c17cee52f78f77e21829"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bcosca/fatfree","events":[{"introduced":"0"},{"last_affected":"495a97c9957a9edfbaea362927be6f3faa96fc52"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.7.1"}]}},{"type":"GIT","repo":"https://github.com/f3-factory/fatfree-core","events":[{"introduced":"0"},{"fixed":"dae95a0baf3963a9ef87c17cee52f78f77e21829"}]}],"versions":["3.0.4","3.0.5","3.0.6","3.0.7","3.0.8","3.0.9","3.1.0","3.1.1","3.2.0","3.2.1","3.2.2","3.3.0","3.4.0","3.5.0","3.5.1","3.6.0","3.6.1","3.6.2","3.6.3","3.6.4","3.6.5","3.7.0","3.7.1","release","v3.6.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-5203.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}