LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-4257

CVE-2026-4257 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 1, 2026

Contact Form by Supsystic - Remote Code Execution

Published: March 30, 2026Updated: April 1, 2026Remote Exploitable

Overview

Contact Form by Supsystic WordPress plugin <= 1.7.36 contains a server-side template injection caused by unsandboxed Twig_Loader_String and cfsPreFill functionality, letting unauthenticated attackers execute arbitrary code remotely via GET parameters.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 1961.3%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can execute arbitrary PHP functions and OS commands remotely, leading to full server compromise.

Mitigation

Update to the latest version beyond 1.7.36.

References

Social Media Activity(1 post)

ZEN SecDB
ZEN SecDB
@secdb
Apr 6, 2026

📈 CVE Published in last 7 days (2026-03-30 - 2026-04-06) See more at https://secdb.nttzen.cloud/dashboard Total CVEs: 1282 Severity: - Critical: 134 - High: 375 - Medium: 561 - Low: 63 - None: 149 Status: - : 54 - Analyzed: 257 - Awaiting Analysis: 410 - Modified: 9 - Received: 265 - Rejected: 7 - Undergoing Analysis: 280 Top CNAs: - GitHub, Inc.: 374 - VulDB: 165 - VulnCheck: 147 - MITRE: 109 - kernel.org: 91 - N/A: 54 - Wordfence: 43 - Chrome: 21 - IBM Corporation: 17 - Cisco Systems, Inc.: 16 Top Affected Products: - UNKNOWN: 933 - Endian Firewall: 30 - Openclaw: 24 - Google Chrome: 21 - Seppmail Secure Email Gateway: 14 - Apple Macos: 13 - Wwbn Avideo: 13 - Ahsanriaz26gmailcom Sales And Inventory System: 11 - Xenforo: 10 - Parseplatform Parse-server: 9 Top EPSS Score: - CVE-2026-4257 - 15.83 % (https://secdb.nttzen.cloud/cve/detail/CVE-2026-4257) - CVE-2026-34156 - 5.19 % (https://secdb.nttzen.cloud/cve/detail/CVE-2026-34156) - CVE-2026-4020 - 4.49 % (https://secdb.nttzen.cloud/cve/detail/CVE-2026-4020) - CVE-2026-5281 - 3.03 % (https://secdb.nttzen.cloud/cve/detail/CVE-2026-5281) - CVE-2026-5176 - 2.96 % (https://secdb.nttzen.cloud/cve/detail/CVE-2026-5176) - CVE-2026-34453 - 2.67 % (https://secdb.nttzen.cloud/cve/detail/CVE-2026-34453) - CVE-2026-5102 - 1.63 % (https://secdb.nttzen.cloud/cve/detail/CVE-2026-5102) - CVE-2026-5103 - 1.63 % (https://secdb.nttzen.cloud/cve/detail/CVE-2026-5103) - CVE-2026-5104 - 1.63 % (https://secdb.nttzen.cloud/cve/detail/CVE-2026-5104) - CVE-2026-5105 - 1.63 % (https://secdb.nttzen.cloud/cve/detail/CVE-2026-5105)

View original post

Related Resources

Details

CVE ID
CVE-2026-4257
Severity
Critical
CVSS Score
9.8
Type
template_injection
Status
unconfirmed
EPSS
1961.3%
Nuclei
Available
Social Posts
1

CWE

  • CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

1961.3%Probability of exploitation in the next 30 days

Nuclei Template

View Nuclei Template