Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. An authenticated user with campaign import privileges (campaign:imports:create) can write arbitrary PHP files to sensitive system directories. An attacker can exploit this to overwrite critical internal configuration or cache components, resulting in Remote Code Execution (RCE) under the context of the web server user.
AnalysisAI
Remote code execution in Mautic 7 allows authenticated users with the campaign:imports:create permission to write arbitrary PHP files outside the intended extraction directory via a malicious ZIP uploaded through the campaign import feature. The flaw is a path traversal in the ZIP extraction routine that can be leveraged to overwrite cache or configuration files, yielding code execution as the web server user. No public exploit identified at time of analysis, and the CVSS 9.9 score reflects the combination of low attack complexity, scope change, and full CIA impact.
Technical ContextAI
Mautic is an open-source PHP-based marketing automation platform. The campaign import feature accepts a ZIP archive and extracts it into a temporary working directory before processing the contained campaign definitions. The underlying weakness is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as 'Zip Slip' when it occurs in archive extraction: entries inside the ZIP that contain '../' sequences or absolute paths are not normalized or constrained to the intended target directory, allowing the extractor to write files anywhere the PHP process has filesystem permissions. Because Mautic is PHP, dropping a .php file into a web-served directory or overwriting an autoloaded/cached file (such as a compiled Symfony container or Twig cache) is sufficient to achieve code execution on the next request.
Affected ProductsAI
Mautic 7 is affected, as documented in the upstream GitHub Security Advisory at https://github.com/mautic/mautic/security/advisories/GHSA-6r9h-4h75-7q4x. No CPE strings were supplied in the input intelligence, so the exact lower and upper version bounds within the 7.x line are not independently confirmed here - administrators should consult the linked advisory for the precise vulnerable version range and any backports to prior major versions.
RemediationAI
Upgrade to the fixed Mautic 7 release identified in the vendor advisory at https://github.com/mautic/mautic/security/advisories/GHSA-6r9h-4h75-7q4x; the exact fixed version was not provided in the input data, so consult that advisory directly rather than relying on inferred version numbers. As compensating controls until patching, revoke the campaign:imports:create permission from all non-administrative roles so only fully trusted operators can invoke the vulnerable import path (trade-off: marketing users lose self-service campaign import), place the Mautic administrative UI behind an authenticated reverse-proxy or IP allowlist to reduce the population of attackers able to reach the endpoint (trade-off: complicates legitimate remote access), and tighten the web server user's write permissions on cache, config, and document-root directories where feasible (trade-off: may break Mautic features that legitimately write to those paths, so test in staging). Monitor application logs for campaign import events and the filesystem for unexpected .php files appearing under cache or public directories.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33277
GHSA-6r9h-4h75-7q4x