CVE-2025-47916

CRITICAL EXPLOITED NUCLEI LAB

Invisioncommunity < 5.0.7 - Remote Code Execution

Title source: rule

Exploitation Summary

CVE-2025-47916 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Egidio Romano, exploitintel, Web3-Serializer, including a Metasploit module exploits/multi/http/invision_customcss_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This PHP script exploits a remote code execution vulnerability in Invision Community <= 5.0.6 by injecting a malicious expression into the 'content' parameter of the theme editor, allowing arbitrary command execution. The exploit uses cURL to send crafted POST requests and retrieves command output via a delimiter-based extraction.

Description

Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (file: /applications/core/modules/front/system/themeeditor.php), where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content parameter to the Theme::makeProcessFunction() method; hence it is evaluated by the template engine. Accordingly, this can be exploited by unauthenticated attackers to inject and execute arbitrary PHP code by providing crafted template strings.

Exploits (4)

exploitdb WORKING POC

by Egidio Romano · phpremotemultiple

https://www.exploit-db.com/exploits/52294

View Code ZIP pw:eip

This PHP script exploits a remote code execution vulnerability in Invision Community <= 5.0.6 by injecting a malicious expression into the 'content' parameter of the theme editor, allowing arbitrary command execution. The exploit uses cURL to send crafted POST requests and retrieves command output via a delimiter-based extraction.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Invision Community <= 5.0.6

No auth needed

Prerequisites: cURL extension enabled in PHP · Network access to the target Invision Community instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WORKING POC 1 stars

by exploitintel · pythonpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-47916

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2025-47916, an unauthenticated RCE vulnerability in Invision Community 5.0.0-5.0.6 via template injection. It includes multiple PoC scripts demonstrating OS command execution, PHP eval, and web shell deployment, along with a Docker-based lab environment for testing.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Invision Community 5.0.0 through 5.0.6

No auth needed

Prerequisites: Docker and Docker Compose for lab setup

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 02, 2026 Full analysis →

nomisec WORKING POC 1 stars

by Web3-Serializer · remote

https://github.com/Web3-Serializer/CVE-2025-47916

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-47916, an unauthenticated RCE vulnerability in Invision Community 5.0.0-5.0.6. The exploit leverages improper template engine handling in the `customCss()` method to execute arbitrary PHP code via crafted input.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Invision Community 5.0.0-5.0.6

No auth needed

Prerequisites: Network access to target Invision Community instance

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Egidio Romano (EgiX), Valentin Lobstein · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/invision_customcss_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits a remote code execution vulnerability in Invision Community up to version 5.0.6 by injecting a malicious expression into the `customCss` endpoint, allowing arbitrary PHP execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Invision Community 5.0.0 - 5.0.6

Auth required

Prerequisites: Access to the admin panel · Valid session or authentication

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Invision Community <=5.0.6 Unauthenticated RCE via Template Injection

CRITICALVERIFIEDby EgiX,iamnoooob,pdresearch

Shodan: Set-Cookie: ips4_

FOFA: body="Invision" && body="ips4"

References (3)

Core 3

Core References

Release Notes

https://invisioncommunity.com/release-notes-v5/507-r41/

Exploit, Third Party Advisory

https://karmainsecurity.com/KIS-2025-02

Mailing List, Third Party Advisory

http://seclists.org/fulldisclosure/2025/May/4

Scores

CVSS v3 10.0

EPSS 0.7823

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Lab Environment

EIP LAB

patched docker pull ghcr.io/exploitintel/cve-2025-47916-patched:latest

vulnerable docker pull ghcr.io/exploitintel/cve-2025-47916-vulnerable:latest

View in Library GitHub

Details

VulnCheck KEV 2025-06-06

CWE

CWE-1336 CWE-94

Status published

Products (1)

invisioncommunity/invisioncommunity 5.0.0 - 5.0.7

Published May 16, 2025

Tracked Since Feb 18, 2026