Skip to main content

Mautic CVE-2026-9559

| EUVDEUVD-2026-33277 CRITICAL
Path Traversal (CWE-22)
2026-05-29 Mautic GHSA-6r9h-4h75-7q4x
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 29, 2026 - 12:21 vuln.today

DescriptionCVE.org

A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. An authenticated user with campaign import privileges (campaign:imports:create) can write arbitrary PHP files to sensitive system directories. An attacker can exploit this to overwrite critical internal configuration or cache components, resulting in Remote Code Execution (RCE) under the context of the web server user.

AnalysisAI

Remote code execution in Mautic 7 allows authenticated users with the campaign:imports:create permission to write arbitrary PHP files outside the intended extraction directory via a malicious ZIP uploaded through the campaign import feature. The flaw is a path traversal in the ZIP extraction routine that can be leveraged to overwrite cache or configuration files, yielding code execution as the web server user. No public exploit identified at time of analysis, and the CVSS 9.9 score reflects the combination of low attack complexity, scope change, and full CIA impact.

Technical ContextAI

Mautic is an open-source PHP-based marketing automation platform. The campaign import feature accepts a ZIP archive and extracts it into a temporary working directory before processing the contained campaign definitions. The underlying weakness is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as 'Zip Slip' when it occurs in archive extraction: entries inside the ZIP that contain '../' sequences or absolute paths are not normalized or constrained to the intended target directory, allowing the extractor to write files anywhere the PHP process has filesystem permissions. Because Mautic is PHP, dropping a .php file into a web-served directory or overwriting an autoloaded/cached file (such as a compiled Symfony container or Twig cache) is sufficient to achieve code execution on the next request.

Affected ProductsAI

Mautic 7 is affected, as documented in the upstream GitHub Security Advisory at https://github.com/mautic/mautic/security/advisories/GHSA-6r9h-4h75-7q4x. No CPE strings were supplied in the input intelligence, so the exact lower and upper version bounds within the 7.x line are not independently confirmed here - administrators should consult the linked advisory for the precise vulnerable version range and any backports to prior major versions.

RemediationAI

Upgrade to the fixed Mautic 7 release identified in the vendor advisory at https://github.com/mautic/mautic/security/advisories/GHSA-6r9h-4h75-7q4x; the exact fixed version was not provided in the input data, so consult that advisory directly rather than relying on inferred version numbers. As compensating controls until patching, revoke the campaign:imports:create permission from all non-administrative roles so only fully trusted operators can invoke the vulnerable import path (trade-off: marketing users lose self-service campaign import), place the Mautic administrative UI behind an authenticated reverse-proxy or IP allowlist to reduce the population of attackers able to reach the endpoint (trade-off: complicates legitimate remote access), and tighten the web server user's write permissions on cache, config, and document-root directories where feasible (trade-off: may break Mautic features that legitimately write to those paths, so test in staging). Monitor application logs for campaign import events and the filesystem for unexpected .php files appearing under cache or public directories.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-9559 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy