CVE-2026-9558
Server-Side Template Injection in Mautic Theme Engine
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: Mautic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mautic | mautic | to 1.3.0 (exc) |
| mautic | mautic | 7.1.2 |
| mautic | mautic | 6.0.9 |
| mautic | mautic | 5.2.11 |
| mautic | mautic | 4.4.20 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Server-Side Template Injection (SSTI) in Mautic's theme engine. It occurs because the platform renders uploaded Twig templates without proper sandboxing or restrictions on functions. Authenticated users who have permissions to create or upload themes can exploit this flaw to execute arbitrary code on the hosting server or access restricted system files and configuration settings.
How can this vulnerability impact me? :
The vulnerability can lead to Remote Code Execution (RCE), allowing attackers to run arbitrary code on the server hosting Mautic. This can result in unauthorized access to sensitive system files and configuration data, compromising the confidentiality, integrity, and availability of the system. Because the attack requires only low privileges and no user interaction, it poses a critical risk.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the Server-Side Template Injection vulnerability in Mautic's theme engine, users are strongly advised to upgrade to patched versions: 7.1.2, 6.0.9, 5.2.11, or 4.4.20 (for Mautic 4.x via ELTS).
If upgrading immediately is not possible, restrict theme upload and creation permissions strictly to highly trusted administrators only.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with theme creation or upload permissions to execute arbitrary code on the hosting server or access restricted system files and configuration settings. This can lead to a critical impact on confidentiality, integrity, and availability of data.
Such impacts can potentially result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.
Therefore, exploitation of this vulnerability could lead to unauthorized data access or system compromise, violating requirements for data protection and security controls mandated by these regulations.