{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-9558", "assignerOrgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e", "state": "PUBLISHED", "assignerShortName": "Mautic", "dateReserved": "2026-05-26T08:36:52.218Z", "datePublished": "2026-05-29T10:01:36.019Z", "dateUpdated": "2026-05-29T10:49:06.099Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e", "shortName": "Mautic", "dateUpdated": "2026-05-29T10:01:36.019Z" }, "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-1336", "description": "CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE" } ] } ], "impacts": [ { "capecId": "CAPEC-242", "descriptions": [ { "lang": "en", "value": "CAPEC-242 Code Injection" } ] } ], "affected": [ { "collectionURL": "https://packagist.org", "packageName": "mautic/core", "repo": "https://github.com/mautic/mautic", "versions": [ { "status": "affected", "version": "1.3.0", "lessThan": "4.4.20", "versionType": "semver" }, { "status": "affected", "version": "5.0.0", "lessThan": "5.2.11", "versionType": "semver" }, { "status": "affected", "version": "6.0.0", "lessThan": "6.0.9", "versionType": "semver" }, { "status": "affected", "version": "7.0.0", "lessThan": "7.1.2", "versionType": "semver" } ], "defaultStatus": "unaffected" } ], "descriptions": [ { "lang": "en", "value": "A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings." } ] } ], "references": [ { "url": "https://github.com/mautic/mautic/security/advisories/GHSA-9fx4-7cmj-47vg" } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV3_1": { "version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" } } ], "workarounds": [ { "lang": "en", "value": "There are no official workarounds. To mitigate this vulnerability without upgrading, restrict theme upload and creation permissions (core:themes:create) to only highly trusted administrators.", "supportingMedia": [ { "type": "text/html", "base64": false, "value": "There are no official workarounds. To mitigate this vulnerability without upgrading, restrict theme upload and creation permissions (core:themes:create) to only highly trusted administrators." } ] } ], "credits": [ { "lang": "en", "value": "Onurcan Genç (@onurcangnc)", "type": "finder" }, { "lang": "en", "value": "Daniel Zhang (@xfer0)", "type": "finder" }, { "lang": "en", "value": "Tuan Do (@Entropt)", "type": "finder" }, { "lang": "en", "value": "Patryk Gruszka (@patrykgruszka)", "type": "remediation reviewer" }, { "lang": "en", "value": "John Linhart (@escopecz)", "type": "remediation reviewer" }, { "lang": "en", "value": "Leuchtfeuer Digital Marketing (@Leuchtfeuer)", "type": "sponsor" } ], "source": { "advisory": "GHSA-9fx4-7cmj-47vg", "discovery": "UNKNOWN" }, "x_generator": { "engine": "Vulnogram 1.0.2" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-05-29T10:48:50.985840Z", "id": "CVE-2026-9558", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-29T10:49:06.099Z" } } ] } }