CVE-2026-9558
Deferred Deferred - Pending Action
Server-Side Template Injection in Mautic Theme Engine

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Mautic

Description
A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-9558
EUVD
EUVD-2026-33276
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
mautic mautic to 1.3.0 (exc)
mautic mautic 7.1.2
mautic mautic 6.0.9
mautic mautic 5.2.11
mautic mautic 4.4.20
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Server-Side Template Injection (SSTI) in Mautic's theme engine. It occurs because the platform renders uploaded Twig templates without proper sandboxing or restrictions on functions. Authenticated users who have permissions to create or upload themes can exploit this flaw to execute arbitrary code on the hosting server or access restricted system files and configuration settings.

Impact Analysis

The vulnerability can lead to Remote Code Execution (RCE), allowing attackers to run arbitrary code on the server hosting Mautic. This can result in unauthorized access to sensitive system files and configuration data, compromising the confidentiality, integrity, and availability of the system. Because the attack requires only low privileges and no user interaction, it poses a critical risk.

Mitigation Strategies

To mitigate the Server-Side Template Injection vulnerability in Mautic's theme engine, users are strongly advised to upgrade to patched versions: 7.1.2, 6.0.9, 5.2.11, or 4.4.20 (for Mautic 4.x via ELTS).

If upgrading immediately is not possible, restrict theme upload and creation permissions strictly to highly trusted administrators only.

Compliance Impact

The vulnerability allows authenticated users with theme creation or upload permissions to execute arbitrary code on the hosting server or access restricted system files and configuration settings. This can lead to a critical impact on confidentiality, integrity, and availability of data.

Such impacts can potentially result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

Therefore, exploitation of this vulnerability could lead to unauthorized data access or system compromise, violating requirements for data protection and security controls mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9558. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart