Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.
AnalysisAI
Server-Side Template Injection in Mautic's theme engine allows authenticated users with theme creation or upload permissions to execute arbitrary code on the host. Because the platform renders uploaded Twig templates without a sandbox or strict function allowlist, an attacker who already holds theme-management rights can pivot from administrative content control to full server compromise, including reads of restricted system files and configuration. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Mautic account that holds permission to create or upload themes (PR:L in the CVSS vector), and the attacker must be able to reach the Mautic web interface over the network - no user interaction by another victim is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS:3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H yields 9.9, reflecting network reach, low complexity, low-privilege authenticated abuse, no user interaction, and a changed scope with full CIA impact - appropriate given that an authenticated theme operator can escape Mautic's trust boundary into the underlying OS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains or is granted a Mautic account with theme creation/upload rights - for example through credential reuse, a phishing-acquired marketer account that was over-privileged, or a malicious contractor. They craft a Twig template containing an SSTI payload that invokes PHP via the unsandboxed renderer, upload it as part of a theme, and trigger rendering to execute shell commands as the web server user, leading to webshell installation, configuration/secret exfiltration, and lateral movement. |
| Remediation | Patch available per vendor advisory - upgrade Mautic to the fixed release identified in GHSA-9fx4-7cmj-47vg at https://github.com/mautic/mautic/security/advisories/GHSA-9fx4-7cmj-47vg, applying the exact patched version listed there as the primary remediation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Invision Community 5.0.0 through 5.0.6 contains an unauthenticated remote code execution vulnerability in the template e
Remote code execution in the WPML WordPress multilingual plugin (versions up to and including 4.6.12) allows Contributor
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Server-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arb
AutoGPT versions 0.3.4 and earlier are vulnerable to a Server-Side Template Injection (SSTI) that could lead to Remote C
OneBlog v2.3.6 was discovered to contain a template injection vulnerability via the template management department. Rate
In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function fro
IPW Systems Metazo through 8.1.3 allows unauthenticated Remote Code Execution because smartyValidator.php enables the at
Server-side template injection in RAGFlow 0.24.0 and earlier allows any authenticated user to execute arbitrary operatin
Incus system container and virtual machine manager versions prior to 6.23.0 allow authenticated users with instance acce
Remote code execution in Wirtualna Uczelnia (versions up to wu#2016.437.295#0#20260327_105545) allows unauthenticated ne
Server-side template injection in JTL Shop 5.2.0 through 5.7.1 allows remote unauthenticated attackers to inject Smarty
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33276
GHSA-9fx4-7cmj-47vg