Vulnerability Description
Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sabberworm | Php Css Parser | < 8.3.1 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/157923/Sabberworm-PHP-CSS-Code-Injection.htExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2020/Jun/7ExploitMailing ListThird Party Advisory
- https://github.com/sabberworm/PHP-CSS-Parser/commit/2ebf59e8bfbf6cfc1653a5f0ed74PatchThird Party Advisory
- https://github.com/sabberworm/PHP-CSS-Parser/releases/tag/8.3.1Release NotesThird Party Advisory
- http://packetstormsecurity.com/files/157923/Sabberworm-PHP-CSS-Code-Injection.htExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2020/Jun/7ExploitMailing ListThird Party Advisory
- https://github.com/sabberworm/PHP-CSS-Parser/commit/2ebf59e8bfbf6cfc1653a5f0ed74PatchThird Party Advisory
- https://github.com/sabberworm/PHP-CSS-Parser/releases/tag/8.3.1Release NotesThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2025/10/msg00013.html
FAQ
What is CVE-2020-13756?
CVE-2020-13756 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input fro...
How severe is CVE-2020-13756?
CVE-2020-13756 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-13756?
Check the references section above for vendor advisories and patch information. Affected products include: Sabberworm Php Css Parser.