module
Invision Community 5.0.6 customCss RCE
| Disclosed |
|---|
| May 16, 2025 |
Disclosed
May 16, 2025
Description
Invision Community up to and including version 5.0.6 contains a remote code
execution vulnerability in the theme editor's customCss endpoint. By crafting
a specially formatted `content` parameter with a `{expression="..."}`
construct, arbitrary PHP can be evaluated. This module leverages that flaw
to execute payloads or system commands as the webserver user.
execution vulnerability in the theme editor's customCss endpoint. By crafting
a specially formatted `content` parameter with a `{expression="..."}`
construct, arbitrary PHP can be evaluated. This module leverages that flaw
to execute payloads or system commands as the webserver user.
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.