CVE-2026-9557

Summary

A Server-Side Request Forgery (SSRF) vulnerability exists in Mautic's Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests from the hosting server, enabling internal network reconnaissance or forcing requests to arbitrary internal or external destinations.

Affected Software

VendorProductVersion RangeStatus
4.0.0 < 4.4.20affected
5.0.0 < 5.2.11affected
6.0.0 < 6.0.9affected
7.0.0 < 7.1.2affected

Weaknesses

  • CWE-918: CWE-918 Server-Side Request Forgery (SSRF)

Workarounds

There are no official workarounds. To completely mitigate the exposure without upgrading, disabling or limiting external network access from the Mautic web server to internal-only subnets and local hosts is recommended.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References