CVE-2026-9559
Path Traversal in Mautic Campaign Import Leading to RCE
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: Mautic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mautic | mautic | From 7.0 (inc) |
| mautic | mautic | 7.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9559 is a path traversal vulnerability in Mautic 7's campaign import feature. It occurs when the system extracts uploaded ZIP files during campaign imports. Due to flawed validation logic, file paths can escape the intended temporary directories.
An authenticated user with campaign import privileges can exploit this flaw to write arbitrary PHP files into sensitive system directories. This can lead to overwriting critical internal configuration or cache components.
Ultimately, this vulnerability allows an attacker to achieve Remote Code Execution (RCE) under the context of the web server user.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized Remote Code Execution (RCE) on the affected system.
- An attacker with campaign import privileges can write arbitrary PHP files to sensitive system directories.
- Critical internal configuration or cache components can be overwritten.
- The attacker can execute malicious code with the privileges of the web server user, potentially leading to full system compromise.
There are no official workarounds, but revoking campaign import permissions from non-administrative users can mitigate the risk.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, revoke campaign import permissions from non-administrative users to reduce the risk of exploitation.
Additionally, upgrade Mautic to version 7.1.2 or later, where this vulnerability has been patched.
No official workarounds exist beyond these steps.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.