CVE-2020-36903 HIGH

CVE-2020-36903: Selea CarPlateServer 4.0.1.6 Local Privilege Escalation via Unquoted Service Path

Vendor Selea
Product Selea CarPlateServer (CPS)
Weakness CWE-428
Published December 31, 2025
Last update January 2, 2026

CVSS base score

8.5/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Selea CarPlateServer 4.0.1.6 contains an unquoted service path vulnerability in the Windows service configuration that allows local users to potentially execute code with elevated privileges. Attackers can exploit the service's unquoted binary path by inserting malicious code in the system root path that could execute with LocalSystem privileges during application startup or reboot.

Key dates

02Disclosure timeline

December 31, 2025 CVE published
January 2, 2026 Record updated