CVE-2026-9558 PUBLISHED

Assigner: Mautic
Reserved: 26.05.2026 Published: 29.05.2026 Updated: 29.05.2026

A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Package Collection	https://packagist.org
Package Name	mautic/core
Versions	Default: unaffected affected from 1.3.0 to 4.4.20 (excl.) affected from 5.0.0 to 5.2.11 (excl.) affected from 6.0.0 to 6.0.9 (excl.) affected from 7.0.0 to 7.1.2 (excl.)

Workarounds

There are no official workarounds. To mitigate this vulnerability without upgrading, restrict theme upload and creation permissions (core:themes:create) to only highly trusted administrators.

Credits

Onurcan Genç (@onurcangnc) finder
Daniel Zhang (@xfer0) finder
Tuan Do (@Entropt) finder
Patryk Gruszka (@patrykgruszka) remediation reviewer
John Linhart (@escopecz) remediation reviewer
Leuchtfeuer Digital Marketing (@Leuchtfeuer) sponsor

References

https://github.com/mautic/mautic/security/advisories/GHSA-9fx4-7cmj-47vg

Problem Types

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine CWE

Impacts

CAPEC-242 Code Injection