CVE-2026-9558

Summary

A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.

Affected Software

VendorProductVersion RangeStatus
1.3.0 < 4.4.20affected
5.0.0 < 5.2.11affected
6.0.0 < 6.0.9affected
7.0.0 < 7.1.2affected

Weaknesses

  • CWE-1336: CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine

Workarounds

There are no official workarounds. To mitigate this vulnerability without upgrading, restrict theme upload and creation permissions (core:themes:create) to only highly trusted administrators.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References