HIGHCVE-2020-37178CVSS 7.5

CVE-2020-37178: DoS in KeePass Password Safe

Q: What is CVE-2020-37178 — DoS in KeePass Password Safe?

CVE-2020-37178 is a denial-of-service vulnerability in KeePass Password Safe versions before 2.44. Attackers can crash the application by dragging malicious HTML files into the help system.

Q: Am I affected by CVE-2020-37178 in KeePass Password Safe?

Yes, if you are using KeePass Password Safe version 2.44 or earlier, you are affected by this vulnerability.

Q: How do I fix CVE-2020-37178 in KeePass Password Safe?

Upgrade KeePass Password Safe to version 2.44 or later to resolve the vulnerability.

Q: Is CVE-2020-37178 being actively exploited?

There are currently no reports of active exploitation of CVE-2020-37178.

Q: Where can I find the official KeePass Password Safe advisory for CVE-2020-37178?

Refer to the official KeePass Password Safe website for the advisory and release notes: https://keepass.info/.

Platform

windows

Component

keepass-password-safe

Fixed in

2.44.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2020-37178 describes a denial-of-service (DoS) vulnerability present in KeePass Password Safe versions prior to 2.44. An attacker can exploit this flaw by crafting and dragging malicious HTML files into the application's help system, potentially leading to instability or a complete crash. This vulnerability impacts users running KeePass Password Safe versions 2.44 and earlier.

Impact and Attack Scenarios

The primary impact of CVE-2020-37178 is a denial-of-service condition. Successful exploitation allows an attacker to crash the KeePass Password Safe application, preventing legitimate users from accessing their stored passwords. While this vulnerability doesn't directly lead to data exfiltration or unauthorized access, it can disrupt operations and potentially be used as a distraction tactic in a larger attack. The ease of exploitation – simply dragging a file – makes it a relatively low-effort attack vector.

Exploitation Context

CVE-2020-37178 was publicly disclosed on 2026-02-11. There are currently no known public proof-of-concept exploits available. The EPSS score is likely low, given the lack of public exploitation and the relatively simple nature of the attack. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.03% (9% percentile)

CISA SSVC

Exploitationpoc

Automatableyes

Technical Impactpartial

CVSS Vector

Affected Software

Componentkeepass-password-safe

VendorKeepass

Affected rangeFixed in

< 2.44 – < 2.442.44.1

Weakness Classification (CWE)

CWE-94

Timeline

Reserved2026-02-10
Published2026-02-11
Modified2026-03-05
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2020-37178 is to upgrade KeePass Password Safe to version 2.44 or later. This version contains a fix that addresses the vulnerability in the help system's HTML handling. If immediate upgrading is not possible, consider restricting user access to the help system or implementing input validation to prevent the loading of potentially malicious HTML files. There are no specific WAF or proxy rules that can directly mitigate this vulnerability, as it occurs within the application itself.

How to fix

Actualice KeePass Password Safe a la versión 2.44 o posterior. Esta versión corrige la vulnerabilidad de denegación de servicio al manejar archivos HTML en el sistema de ayuda. Descargue la última versión desde el sitio web oficial de KeePass.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2020-37178 — DoS in KeePass Password Safe?

CVE-2020-37178 is a denial-of-service vulnerability in KeePass Password Safe versions before 2.44. Attackers can crash the application by dragging malicious HTML files into the help system.

Am I affected by CVE-2020-37178 in KeePass Password Safe?

Yes, if you are using KeePass Password Safe version 2.44 or earlier, you are affected by this vulnerability.

How do I fix CVE-2020-37178 in KeePass Password Safe?

Upgrade KeePass Password Safe to version 2.44 or later to resolve the vulnerability.

Is CVE-2020-37178 being actively exploited?

There are currently no reports of active exploitation of CVE-2020-37178.

Where can I find the official KeePass Password Safe advisory for CVE-2020-37178?

Refer to the official KeePass Password Safe website for the advisory and release notes: https://keepass.info/.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: None — no integrity impact. Attacker cannot modify data.
Availability: None — no availability impact. Service remains fully operational.