CVE-2026-9811
Deferred Deferred - Pending Action
Stored XSS in Mautic Project Selector Component

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Mautic

Description
A stored Cross-Site Scripting (XSS) vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields. An authenticated user with permissions to create projects can exploit this to store a malicious script payload in the project's name. When another administrative user subsequently opens an entity editor containing the project selector, the injected script executes within the context of their active browser session. This could allow an attacker to hijack the session, perform unauthorized state coordination, or access organizational data within the dashboard.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-9811
EUVD
EUVD-2026-33280
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mautic mautic From 7.0.0 (inc)
mautic mautic 7.1.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-9811 is a stored Cross-Site Scripting (XSS) vulnerability in the project selector component of Mautic version 7.0.0 and later.

The issue occurs because the application does not properly sanitize project names retrieved via AJAX before inserting them into the DOM as option fields in selection menus.

An authenticated user with permissions to create projects can exploit this by storing a malicious script payload in a project's name.

When another administrative user opens an entity editor containing the project selector, the malicious script executes within their browser session.

Impact Analysis

This vulnerability can allow an attacker to hijack the session of an administrative user.

It can also enable the attacker to perform unauthorized actions or state coordination within the application.

Additionally, the attacker may gain access to organizational data visible within the Mautic dashboard.

Detection Guidance

Detection of this vulnerability involves identifying if malicious script payloads have been stored in project names within the Mautic application. Since the vulnerability arises from unsanitized project names rendered via AJAX in the project selector component, one approach is to inspect project names for suspicious script tags or payloads.

There are no specific commands provided in the resources to detect this vulnerability directly on the network or system.

However, as a general approach, you can query the Mautic database for project names containing suspicious HTML or JavaScript code. For example, if you have database access, you might run a SQL query like:

  • SELECT id, name FROM projects WHERE name LIKE '%<script>%';

This query attempts to find project names containing script tags which could indicate stored XSS payloads.

Mitigation Strategies

The immediate mitigation step is to restrict project creation and modification permissions to only trusted users. Since the vulnerability requires an authenticated user with project creation permissions to inject malicious scripts, limiting these permissions reduces the risk of exploitation.

Additionally, upgrading Mautic to version 7.1.2 or later is recommended, as this version contains the patch that properly sanitizes project names and prevents the stored XSS vulnerability.

Compliance Impact

This stored Cross-Site Scripting (XSS) vulnerability in Mautic could lead to unauthorized access to organizational data and session hijacking. Such unauthorized access and potential data breaches may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring secure handling of data.

Specifically, if an attacker exploits this vulnerability to access or manipulate sensitive data within the dashboard, it could result in violations of confidentiality and integrity requirements mandated by these standards.

Mitigation involves restricting project creation and modification permissions to trusted users and applying patches, which helps maintain compliance by reducing the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9811. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart