ctipilot.ch

Mautic file inclusion / path traversal (post-auth)

cve · CVE-2026-9808

Coverage timeline
1
first 2026-05-31 → last 2026-05-31
Peak priority
high
1 high
Sources cited
2
2 hosts
Sections touched
1
active-threats
Co-occurring entities
6
see Related entities below
ATT&CK techniques
3
pinned v19.1 · see below

ATT&CK techniques

3 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-05-31/mautic-7-1-2-6-0-9-seven-authenticated-flaws-including-two-p · ATT&CK page ↗

Execution TA0002

T1059Command and Scripting Interpreter×1

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

Evidence: 2026-05-31/mautic-7-1-2-6-0-9-seven-authenticated-flaws-including-two-p · ATT&CK page ↗

Credential Access TA0006

T1552.005Unsecured Credentials: Cloud Instance Metadata API×1

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

Evidence: 2026-05-31/mautic-7-1-2-6-0-9-seven-authenticated-flaws-including-two-p · ATT&CK page ↗

Story timeline

  1. 2026-05-31Mautic 7.1.2 / 6.0.9 — seven authenticated flaws, including two post-auth RCE paths (SSTI and path-traversal-to-PHP-RCE), an SSRF and an API authorization bypass
    active-threatsMautic 7.1.2 / 6.0.9 — seven authenticated flaws, including two post-auth RCE paths (SSTI and path-traversal-to-PHP-RCE), an SSRF and an API authorization

Where this entity is cited

  • active-threats1

Source distribution

  • github.com1 (50%)
  • wid.cert-bund.de1 (50%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about Mautic file inclusion / path traversal (post-auth) (1)

2026-05-31 · view entry permalink →

Mautic 7.1.2 / 6.0.9 — seven authenticated flaws, including two post-auth RCE paths (SSTI and path-traversal-to-PHP-RCE), an SSRF and an API authorization bypass

The Mautic project shipped releases 7.1.2 and 6.0.9 on 2026-05-28/29 closing seven vulnerabilities, and BSI CERT-Bund issued advisory WID-SEC-2026-1724 on 2026-05-29 rating the cluster hoch (HIGH) (BSI CERT-Bund WID-SEC-2026-1724, 2026-05-29; Mautic GitHub Security Advisory GHSA-fcmw-wx57-9p75, 2026-05-28). All seven require an authenticated session, but several go well beyond information disclosure. CVE-2026-9558 is a server-side template injection in theme templates: an authenticated user with theme-creation permission can execute arbitrary code on the server (all supported branches, 4.x–7.x). CVE-2026-9559 is a path traversal in the campaign-import handler that writes arbitrary PHP into sensitive directories, yielding remote code execution under the web-server user (Mautic 7.x). CVE-2026-9557 is a server-side request forgery in the Focus component: an authenticated user can make the Mautic server issue HTTP requests to internal network resources and cloud instance-metadata endpoints (IMDS) and read local files. CVE-2026-4776 is a SQL injection in the API contact-filtering interface. CVE-2026-9808 is an authorization bypass in the API v2 (Mautic 7.x). CVE-2026-9809 and CVE-2026-9811 are stored XSS in the Projects feature (Mautic 7.x). No in-the-wild exploitation is reported; exploitation status is unknown. Patched in 7.1.2 and 6.0.9 (released 2026-05-28/29).

Why it matters to us: Mautic is the dominant self-hosted, GDPR-compliant campaign-mail platform across European universities, cantonal and municipal communications teams, NGOs and political parties — a population that frequently runs it on an internal network segment with reachability to cloud metadata or back-office services. A single compromised authenticated account (the kind harvested in routine credential-stuffing or AiTM phishing) now reaches server-side code execution via the theme-template SSTI or the campaign-import PHP write (T1190, T1059), while the Focus SSRF reaches internal services and the cloud instance-metadata endpoint (T1552.005). Detection: review Mautic logs for theme-template edits and campaign-import operations by non-admin roles, and for Focus requests resolving to RFC-1918 ranges or 169.254.169.254; alert on the Mautic worker spawning shell / php child processes or making outbound connections to internal subnets. Hardening: upgrade to 7.1.2 / 6.0.9; restrict theme-creation and campaign-import permissions to trusted administrators; egress-filter the Mautic host (block link-local metadata and internal subnets); apply CSP headers on the admin UI.

Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Mautic ausnutzen, um SQL-Injection- und Server-Side Request Forgery (SSRF)-Angriffe durchzuführen und um Informationen offenzulegen ... sowie unter Umständen beliebigen Code auf dem Server auszuführen

BSI CERT-Bund WID-SEC-2026-1724
threat31 May 05:00Zmulti-sourceOpen finding ↗