{"id":"CVE-2020-13756","details":"Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.","aliases":["GHSA-phrq-v4q2-hmq6"],"modified":"2026-04-09T06:52:56.231047Z","published":"2020-06-03T14:15:12.703Z","references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00013.html"},{"type":"ADVISORY","url":"https://github.com/sabberworm/PHP-CSS-Parser/releases/tag/8.3.1"},{"type":"FIX","url":"https://github.com/sabberworm/PHP-CSS-Parser/commit/2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/157923/Sabberworm-PHP-CSS-Code-Injection.html"},{"type":"EVIDENCE","url":"http://seclists.org/fulldisclosure/2020/Jun/7"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/myintervals/php-css-parser","events":[{"introduced":"0"},{"fixed":"2ebf59e8bfbf6cfc1653a5f0ed743b95062c62a4"},{"fixed":"d217848e1396ef962fb1997cf3e2421acba7f796"}]},{"type":"GIT","repo":"https://github.com/sabberworm/php-css-parser","events":[{"introduced":"0"},{"fixed":"d217848e1396ef962fb1997cf3e2421acba7f796"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"8.3.1"}]}}],"versions":["0.9.0","1.0.0","2.0.0","3.0.0","4.0.0","5.0.0","5.0.1","5.0.2","5.0.3","5.0.4","5.0.5","5.0.6","5.0.7","5.0.8","5.1.0","5.1.1","5.1.2","5.2.0","6.0.0","6.0.1","7.0.0","7.0.1","7.0.2","7.0.3","8.0.0","8.1.0","8.2.0","8.3.0","v0.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-13756.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}