Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (file: /applications/core/modules/front/system/themeeditor.php), where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content parameter to the Theme::makeProcessFunction() method; hence it is evaluated by the template engine. Accordingly, this can be exploited by unauthenticated attackers to inject and execute arbitrary PHP code by providing crafted template strings.
CVE ID: CVE-2025-47916
CVSS Base Severity: CRITICAL
CVSS Base Score: 10.0
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vendor: n/a
Product: n/a
http/cves/2025/CVE-2025-47916.yaml
EPSS Score: 75.59% (probability of being exploited)
EPSS Percentile: 98.82% (scored less or equal to compared to others)
EPSS Date: 2025-06-06 (when was this score calculated)