CVE-2020-37034 HIGH

CVE-2020-37034: HelloWeb 2.0 - Arbitrary File Download

Vendor Helloweb
Product HelloWeb
Weakness CWE-22 · Path traversal
Published January 30, 2026
Last update February 2, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to access sensitive configuration and system files.

Key dates

02Disclosure timeline

January 30, 2026 CVE published
February 2, 2026 Record updated