Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
A stored Cross-Site Scripting (XSS) vulnerability exists in the Projects component of Mautic 7. When displaying project tags and popovers on administrative detail views (such as campaigns, emails, or forms), user-supplied project names are rendered without proper sanitization. An authenticated user with permissions to create or edit projects can exploit this to inject malicious script payloads. When an administrative user views an entity associated with a compromised project and hovers over its tag, the injected script executes within the context of their active browser session. This could allow an attacker to perform administrative actions on behalf of the victim, alter system configurations, or exfiltrate sensitive data.
AnalysisAI
Stored cross-site scripting in Mautic 7's Projects component allows authenticated low-privilege users with project create/edit permissions to inject script payloads into project names that execute when administrators hover over project tags or popovers on campaign, email, or form detail views. Exploitation yields script execution in an administrator's authenticated session, enabling configuration tampering, privilege escalation through administrative actions, and exfiltration of sensitive data. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
Mautic is an open-source marketing automation platform written in PHP/Symfony where the Projects component organizes related marketing entities (campaigns, emails, forms) under named groupings with visual tags and hover popovers in administrative UIs. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation): project-name strings supplied by a user are persisted to the database and later rendered into the DOM of administrative detail views - specifically in tag chips and their popover tooltips - without HTML encoding or contextual output escaping. Because the payload is stored and rendered later in another user's higher-privileged session, this is a second-order, persistent XSS rather than a reflected one, and any rendering path that pulls the project name into the admin UI becomes a sink. No CPE strings were provided in the input, so exact affected SKUs/builds beyond 'Mautic 7' branch are not enumerated by NVD data here.
Affected ProductsAI
The vulnerability affects Mautic 7 (the Projects component on administrative detail views including campaigns, emails, and forms), as reported directly by the Mautic project. No CPE strings, exact minor-version ranges, or 'fixed in' versions were supplied in the input data; refer to the GitHub Security Advisory at https://github.com/mautic/mautic/security/advisories/GHSA-7h65-whp7-rgqf for the authoritative affected-version range.
RemediationAI
Patch available per vendor advisory - consult Mautic's GitHub Security Advisory GHSA-7h65-whp7-rgqf (https://github.com/mautic/mautic/security/advisories/GHSA-7h65-whp7-rgqf) for the exact fixed Mautic 7 release and upgrade to that version; exact fix version is not provided in the supplied input and should not be guessed. Until the upgrade is applied, compensating controls include restricting the 'create/edit project' permission to a minimal set of fully trusted users (trade-off: blocks legitimate marketers from organizing their own work), auditing existing project names in the database for HTML/JavaScript content and renaming or removing suspicious entries (trade-off: requires manual review and may break references), and instructing administrators to avoid hovering over project tags on detail views until patched (trade-off: operationally fragile and depends on user discipline). Deploying a Content Security Policy that disallows inline script execution on the Mautic admin origin will block most payloads but may break Mautic UI features that rely on inline handlers, so test before enforcing.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33279
GHSA-7h65-whp7-rgqf