CVE-2026-9558
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
1.3.0 < 4.4.20 | affected | ||
5.0.0 < 5.2.11 | affected | ||
6.0.0 < 6.0.9 | affected | ||
7.0.0 < 7.1.2 | affected |
Weaknesses
- CWE-1336: CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine
Workarounds
There are no official workarounds. To mitigate this vulnerability without upgrading, restrict theme upload and creation permissions (core:themes:create) to only highly trusted administrators.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.