Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-9558
PUBLISHED
More InfoOfficial Page
Assigner-Mautic
Assigner Org ID-4e531c38-7a33-45d3-98dd-d909c0d8852e
View Known Exploited Vulnerability (KEV) details
Published At-29 May, 2026 | 10:01
Updated At-29 May, 2026 | 10:49
Rejected At-
▼CVE Numbering Authority (CNA)

A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.

Affected Products
Collection URL
https://packagist.org
Package Name
mautic/core
Repo
https://github.com/mautic/mautic
Default Status
unaffected
Versions
Affected
  • From 1.3.0 before 4.4.20 (semver)
  • From 5.0.0 before 5.2.11 (semver)
  • From 6.0.0 before 6.0.9 (semver)
  • From 7.0.0 before 7.1.2 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-1336CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine
Type: CWE
CWE ID: CWE-1336
Description: CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine
Metrics
VersionBase scoreBase severityVector
3.19.9CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Version: 3.1
Base score: 9.9
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-242CAPEC-242 Code Injection
CAPEC ID: CAPEC-242
Description: CAPEC-242 Code Injection
Solutions
Configurations
Workarounds

There are no official workarounds. To mitigate this vulnerability without upgrading, restrict theme upload and creation permissions (core:themes:create) to only highly trusted administrators.

Exploits
Credits
finder
Onurcan Genç (@onurcangnc)
finder
Daniel Zhang (@xfer0)
finder
Tuan Do (@Entropt)
remediation reviewer
Patryk Gruszka (@patrykgruszka)
remediation reviewer
John Linhart (@escopecz)
sponsor
Leuchtfeuer Digital Marketing (@Leuchtfeuer)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/mautic/mautic/security/advisories/GHSA-9fx4-7cmj-47vg
N/A
Hyperlink: https://github.com/mautic/mautic/security/advisories/GHSA-9fx4-7cmj-47vg
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found