CVE-2025-47916

Name of the Vulnerable Software and Affected Versions: Invision Community versions 5.0.0 through 5.0.7

Description: The issue lies within the themeeditor controller, where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content parameter to the Theme::makeProcessFunction() method, which is evaluated by the template engine. As a result, unauthenticated attackers can exploit this to inject and execute arbitrary PHP code by providing crafted template strings to the /applications/core/modules/front/system/themeeditor.php file.

Recommendations: For Invision Community versions 5.0.0 through 5.0.7, update to a version later than 5.0.7 to resolve the issue. As a temporary workaround, consider disabling the customCss method in the themeeditor controller until a patch is available. Restrict access to the themeeditor controller to minimize the risk of exploitation.