CVE-2020-36877 CRITICAL

CVE-2020-36877: ReQuest Serious Play F3 Media Server <= 7.0.3 code execution

Vendor Request Serious Play Llc
Product ReQuest Serious Play Pro
Weakness CWE-78
Published December 5, 2025
Last update April 7, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

ReQuest Serious Play F3 Media Server 7.0.3 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands as the web server user. Attackers can upload PHP executable files via the Quick File Uploader page, resulting in remote code execution on the server.

Key dates

02Disclosure timeline

December 5, 2025 CVE published
April 7, 2026 Record updated