Proof‑of‑concept description for CVE‑2025‑47916, a Remote Code Execution vulnerability affecting Invision Community 5.0.0–5.0.6 via unsafe template processing in the "customCss()" method.# CVE-2025-47916 - Invision Community Remote Code Execution (RCE) Vulnerability
## About
This repository provides a proof‑of‑concept description for
**CVE‑2025‑47916**, a Remote Code Execution vulnerability affecting
Invision Community versions **5.0.0 through 5.0.6**. The issue stems
from improper handling of user-supplied input within the `customCss()`
method, allowing unauthenticated attackers to execute crafted template
expressions.
## Affected Versions
- All versions from **5.0.0** to **5.0.6**
## Description
The vulnerability resides in the
`IPS\core\modules\front\system\themeeditor::customCss()` method inside:
/applications/core/modules/front/system/themeeditor.php
The method can be called without authentication and passes the `content`
request parameter to `Theme::makeProcessFunction()`. Since the value is
processed through the template engine, specially crafted input may lead
to **arbitrary PHP code execution**. This enables remote,
unauthenticated attackers to achieve full code execution within the
Invision Community environment.
## CLI Usage
usage: main.py [options] target
positional arguments:
target Target URL
optional arguments:
-p, --proxy PROXY Proxy server to route requests
-c, --command CMD Single command to process (for testing output handling)
-t, --test Perform a non-intrusive vulnerability check
## Solution
Update to **Invision Community 5.0.7** or later, where the issue has
been resolved.
## Credits
Vulnerability discovered by **Egidio Romano**.
## References
- https://invisioncommunity.com/release-notes-v5/507-r41/
- CVE entry
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47916
- Karma In Security Advisory:
https://karmainsecurity.com/KIS-2025-02
[4.0K] /data/pocs/41bdce007b8bb5a460d5b39b3e9ef64e32c3b5de
├── [4.0K] main.py
└── [1.8K] README.md
1 directory, 2 files