diff --git a/awstats-CVE-2020-35176.patch b/awstats-CVE-2020-35176.patch
new file mode 100644
index 0000000..c954a95
--- /dev/null
+++ b/awstats-CVE-2020-35176.patch
@@ -0,0 +1,20 @@
+diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl
+index e709b7f5..8341c0a5 100755
+--- a/wwwroot/cgi-bin/awstats.pl
++++ b/wwwroot/cgi-bin/awstats.pl
+@@ -1711,13 +1711,13 @@ sub Read_Config {
+ 	# Check config file in common possible directories :
+ 	# Windows :                   				"$DIR" (same dir than awstats.pl)
+ 	# Standard, Mandrake and Debian package :	"/etc/awstats"
+-	# Other possible directories :				"/usr/local/etc/awstats", "/etc"
++	# Other possible directories :				"/usr/local/etc/awstats",
+ 	# FHS standard, Suse package : 				"/etc/opt/awstats"
+ 	my $configdir         = shift;
+ 	my @PossibleConfigDir = (
+ 			"$DIR",
+ 			"/etc/awstats",
+-			"/usr/local/etc/awstats", "/etc",
++			"/usr/local/etc/awstats",
+ 			"/etc/opt/awstats"
+ 		); 
+ 
diff --git a/awstats.spec b/awstats.spec
index bb71164..cef08ed 100644
--- a/awstats.spec
+++ b/awstats.spec
@@ -1,6 +1,6 @@
 Name:       awstats
 Version:    7.8
-Release:    1%{?dist}
+Release:    2%{?dist}
 Summary:    Advanced Web Statistics
 License:    GPLv3+
 URL:        http://awstats.sourceforge.net
@@ -13,6 +13,9 @@ Patch0:     awstats-awredir.pl-sanitize-parameters.patch
 Patch1:     awstats-7.0-httpd-2.4.patch
 %endif
 
+# https://github.com/eldy/awstats/pull/196/commits/0d4d4c05f8e73be8f71dd361dc55cbd52858b823.diff
+Patch2:     awstats-CVE-2020-35176.patch
+
 # distribution specific definitions
 %define use_systemd (0%{?fedora} || 0%{?rhel} >= 7)
 
@@ -62,6 +65,7 @@ http://localhost/awstats/awstats.pl
 %patch0 -p 1
 %if 0%{?rhel} >= 7 || 0%{?fedora}
 %patch1 -p 1
+%patch2 -p 1
 %endif
 
 # Fix style sheets.
@@ -176,6 +180,9 @@ fi
 
 
 %changelog
+* Wed Dec 30 2020 Tim Jackson <rpm@timj.co.uk> - 7.8-2
+- Fix CVE-2020-35176
+
 * Fri Aug 07 2020 Tim Jackson <rpm@timj.co.uk> - 7.8-1
 - Version 7.8