Close Menu
    Subscribe
    Alerts

    CVE-2026-9558 | THREATINT

    adminBy No Comments1 Min Read


    Home

    Description

    A Server-Side Template Injection (SSTI) vulnerability exists in Mautic’s theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.

    PUBLISHED Reserved 2026-05-26 | Published 2026-05-29 | Updated 2026-05-29 | Assigner Mautic

    CRITICAL: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    Problem types

    CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine

    Product status

    Default status
    unaffected

    1.3.0 (semver) before 4.4.20
    affected

    5.0.0 (semver) before 5.2.11
    affected

    6.0.0 (semver) before 6.0.9
    affected

    7.0.0 (semver) before 7.1.2
    affected

    Credits

    Onurcan Genç (@onurcangnc) finder

    Daniel Zhang (@xfer0) finder

    Tuan Do (@Entropt) finder

    Patryk Gruszka (@patrykgruszka) remediation reviewer

    John Linhart (@escopecz) remediation reviewer

    Leuchtfeuer Digital Marketing (@Leuchtfeuer) sponsor

    References

    github.com/…mautic/security/advisories/GHSA-9fx4-7cmj-47vg

    cve.org (CVE-2026-9558)

    nvd.nist.gov (CVE-2026-9558)

    Download JSON



    Source link

    Share.

    Related Posts

    Add A Comment

    Comments are closed.