HIGHCVE-2020-37214CVSS 7.5

CVE-2020-37214: Directory Traversal in Voyager CMS

Q: What is CVE-2020-37214 — Directory Traversal in Voyager CMS?

CVE-2020-37214 is a directory traversal vulnerability in Voyager CMS versions 1.3.0 and below, allowing attackers to read sensitive files by manipulating the asset path parameter.

Q: Am I affected by CVE-2020-37214 in Voyager CMS?

Yes, if you are running Voyager CMS version 1.3.0 or earlier, you are affected by this vulnerability.

Q: How do I fix CVE-2020-37214 in Voyager CMS?

Upgrade Voyager CMS to version 1.3.1 or later to remediate the vulnerability. Consider WAF rules as a temporary workaround.

Q: Is CVE-2020-37214 being actively exploited?

Public proof-of-concept exploits are available, suggesting potential for active exploitation. Monitor your systems for suspicious activity.

Q: Where can I find the official Voyager CMS advisory for CVE-2020-37214?

Refer to the Voyager CMS official website and security advisories for the latest information and updates regarding CVE-2020-37214.

Platform

laravel

Component

voyager

Fixed in

1.3.1

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026

View on NVD

Save

CVE-2020-37214 represents a directory traversal vulnerability discovered in Voyager CMS. This flaw allows unauthorized access to sensitive system files by manipulating the asset path parameter within the /admin/voyager-assets endpoint. Versions 1.3.0 and earlier are affected, and a patch is available in version 1.3.1.

Impact and Attack Scenarios

Successful exploitation of CVE-2020-37214 grants an attacker the ability to read arbitrary files on the server. This includes critical configuration files like .env which may contain database credentials, API keys, and other sensitive information. Access to files such as /etc/passwd could expose user account details. The blast radius extends to the entire server, as the attacker can potentially gain control over the application and underlying system. This vulnerability shares similarities with other directory traversal exploits where attackers leverage predictable path structures to bypass access controls.

Exploitation Context

CVE-2020-37214 was publicly disclosed on 2026-02-11. There are currently known public proof-of-concept exploits available. The vulnerability's severity is rated HIGH (CVSS 7.5). It is not currently listed on CISA KEV, but its ease of exploitation warrants monitoring for potential active campaigns.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.33% (56% percentile)

CISA SSVC

Exploitationpoc

Automatableyes

Technical Impactpartial

CVSS Vector

Affected Software

Componentvoyager

VendorThe Control Group

Affected rangeFixed in

<= 1.3.0 – <= 1.3.01.3.1

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2026-02-10
Published2026-02-11
Modified2026-04-07
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2020-37214 is to upgrade Voyager CMS to version 1.3.1 or later, which includes the necessary fix. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path manipulations in the asset parameter. Restrict file system access permissions to the Voyager CMS installation directory to limit the potential damage from a successful exploit. Monitor access logs for unusual file access patterns, particularly requests targeting sensitive files.

How to fix

Actualice Voyager a la versión 1.3.1 o superior para mitigar la vulnerabilidad de recorrido de directorios. Esta actualización corrige la forma en que se manejan las rutas de los activos, evitando el acceso no autorizado a archivos sensibles del sistema.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2020-37214 — Directory Traversal in Voyager CMS?

CVE-2020-37214 is a directory traversal vulnerability in Voyager CMS versions 1.3.0 and below, allowing attackers to read sensitive files by manipulating the asset path parameter.

Am I affected by CVE-2020-37214 in Voyager CMS?

Yes, if you are running Voyager CMS version 1.3.0 or earlier, you are affected by this vulnerability.

How do I fix CVE-2020-37214 in Voyager CMS?

Upgrade Voyager CMS to version 1.3.1 or later to remediate the vulnerability. Consider WAF rules as a temporary workaround.

Is CVE-2020-37214 being actively exploited?

Public proof-of-concept exploits are available, suggesting potential for active exploitation. Monitor your systems for suspicious activity.

Where can I find the official Voyager CMS advisory for CVE-2020-37214?

Refer to the Voyager CMS official website and security advisories for the latest information and updates regarding CVE-2020-37214.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

PHP / Composer

Detect this CVE in your project

Upload your composer.lock file and we'll tell you instantly if you're affected.

Scan free

Search CVEs

Upload composer.lock

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: None — no integrity impact. Attacker cannot modify data.
Availability: None — no availability impact. Service remains fully operational.