CVE-2026-9809
Stored XSS in Mautic Projects Component
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: Mautic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mautic | mautic | 7.1.2 |
| mautic | mautic | to 7.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored Cross-Site Scripting (XSS) issue found in the Projects component of Mautic 7. It occurs because user-supplied project names are displayed without proper sanitization on administrative detail views such as campaigns, emails, or forms. An authenticated user who has permission to create or edit projects can inject malicious script payloads into project names.
When an administrative user views an entity associated with a compromised project and hovers over its tag, the injected script executes within their browser session. This allows the attacker to run malicious code in the context of the victim's session.
How can this vulnerability impact me? :
The impact of this vulnerability includes the potential for an attacker to perform administrative actions on behalf of the victim, alter system configurations, or exfiltrate sensitive data. Since the malicious script runs in the context of an administrative user's browser session, it can lead to unauthorized changes and data breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves stored Cross-Site Scripting (XSS) in project names rendered without proper sanitization in Mautic 7's Projects component. Detection involves identifying if any project names contain malicious script payloads that execute when hovered over in administrative views.
Since the vulnerability requires an authenticated user with project creation or editing permissions to inject scripts, detection can focus on reviewing project names for suspicious or unexpected script tags or payloads.
There are no specific commands provided in the available resources to detect this vulnerability on your system or network.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in Mautic version 7.1.2. The primary immediate mitigation is to upgrade to this patched version.
If upgrading immediately is not possible, restrict project creation and modification permissions to trusted users only to prevent malicious script injection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to execute malicious scripts within an administrative user's browser session, potentially enabling unauthorized administrative actions, alteration of system configurations, or exfiltration of sensitive data.
Such unauthorized access and potential data exfiltration could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive data and ensuring system integrity.
Therefore, if exploited, this vulnerability could compromise the confidentiality and integrity of sensitive information, impacting compliance with these common standards and regulations.