9.9
CVE-2026-9558
- EPSS 0.44%
- Veröffentlicht 29.05.2026 10:01:36
- Zuletzt bearbeitet 29.05.2026 15:39:34
- Quelle security@mautic.org
- CVE-Watchlists
- Unerledigt
A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Collection URLhttps://packagist.org
≫
Paket
mautic/core
Default Statusunaffected
Version
1.3.0
Version <
4.4.20
Status
affected
Version
5.0.0
Version <
5.2.11
Status
affected
Version
6.0.0
Version <
6.0.9
Status
affected
Version
7.0.0
Version <
7.1.2
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.44% | 0.349 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@mautic.org | 9.9 | 3.1 | 6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine
The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
https://github.com/mautic/mautic/security/advisories/GHSA-9fx4-7cmj-47vg