Mautic 7.1.2 / 6.0.9 — seven authenticated flaws, including two post-auth RCE paths (SSTI and path-traversal-to-PHP-RCE), an SSRF and an API authorization bypass
From CTI Daily Brief — 2026-05-31 · published 2026-05-31 · view item permalink →
The Mautic project shipped releases 7.1.2 and 6.0.9 on 2026-05-28/29 closing seven vulnerabilities, and BSI CERT-Bund issued advisory WID-SEC-2026-1724 on 2026-05-29 rating the cluster hoch (HIGH) (BSI CERT-Bund WID-SEC-2026-1724, 2026-05-29; Mautic GitHub Security Advisory GHSA-fcmw-wx57-9p75, 2026-05-28). All seven require an authenticated session, but several go well beyond information disclosure. CVE-2026-9558 is a server-side template injection in theme templates: an authenticated user with theme-creation permission can execute arbitrary code on the server (all supported branches, 4.x–7.x). CVE-2026-9559 is a path traversal in the campaign-import handler that writes arbitrary PHP into sensitive directories, yielding remote code execution under the web-server user (Mautic 7.x). CVE-2026-9557 is a server-side request forgery in the Focus component: an authenticated user can make the Mautic server issue HTTP requests to internal network resources and cloud instance-metadata endpoints (IMDS) and read local files. CVE-2026-4776 is a SQL injection in the API contact-filtering interface. CVE-2026-9808 is an authorization bypass in the API v2 (Mautic 7.x). CVE-2026-9809 and CVE-2026-9811 are stored XSS in the Projects feature (Mautic 7.x). No in-the-wild exploitation is reported; exploitation status is unknown. Patched in 7.1.2 and 6.0.9 (released 2026-05-28/29).
Why it matters to us: Mautic is the dominant self-hosted, GDPR-compliant campaign-mail platform across European universities, cantonal and municipal communications teams, NGOs and political parties — a population that frequently runs it on an internal network segment with reachability to cloud metadata or back-office services. A single compromised authenticated account (the kind harvested in routine credential-stuffing or AiTM phishing) now reaches server-side code execution via the theme-template SSTI or the campaign-import PHP write (T1190, T1059), while the Focus SSRF reaches internal services and the cloud instance-metadata endpoint (T1552.005). Detection: review Mautic logs for theme-template edits and campaign-import operations by non-admin roles, and for Focus requests resolving to RFC-1918 ranges or 169.254.169.254; alert on the Mautic worker spawning shell / php child processes or making outbound connections to internal subnets. Hardening: upgrade to 7.1.2 / 6.0.9; restrict theme-creation and campaign-import permissions to trusted administrators; egress-filter the Mautic host (block link-local metadata and internal subnets); apply CSP headers on the admin UI.