CVE-2026-9559 PUBLISHED

Assigner: Mautic
Reserved: 26.05.2026 Published: 29.05.2026 Updated: 29.05.2026

A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. An authenticated user with campaign import privileges (campaign:imports:create) can write arbitrary PHP files to sensitive system directories. An attacker can exploit this to overwrite critical internal configuration or cache components, resulting in Remote Code Execution (RCE) under the context of the web server user.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Package Collection	https://packagist.org
Package Name	mautic/core
Versions	Default: unaffected affected from 7.0.0 to 7.1.2 (excl.)

Workarounds

There are no official workarounds. To mitigate this risk without upgrading, revoke campaign import permissions (campaign:imports:create) from non-administrative users.

Credits

Nguyễn Văn Long (@nglong05) finder
@f3nrir77 finder
John Linhart (@escopecz) remediation developer
Patryk Gruszka (@patrykgruszka) remediation reviewer
Leuchtfeuer Digital Marketing (@Leuchtfeuer) sponsor

References

https://github.com/mautic/mautic/security/advisories/GHSA-6r9h-4h75-7q4x

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
CWE-73 External Control of File Name or Path CWE
CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE

Impacts

CAPEC-139 Relative Path Traversal