Skip to main content

Mautic EUVDEUVD-2026-33276

| CVE-2026-9558 CRITICAL
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)
2026-05-29 Mautic GHSA-9fx4-7cmj-47vg
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVE Published
Jun 22, 2026 - 06:03 cve.org
CRITICAL 9.9
Analysis Generated
May 29, 2026 - 11:00 vuln.today

DescriptionCVE.org

A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.

AnalysisAI

Server-Side Template Injection in Mautic's theme engine allows authenticated users with theme creation or upload permissions to execute arbitrary code on the host. Because the platform renders uploaded Twig templates without a sandbox or strict function allowlist, an attacker who already holds theme-management rights can pivot from administrative content control to full server compromise, including reads of restricted system files and configuration. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Mautic account with theme permissions
Delivery
Craft malicious Twig template payload
Exploit
Upload template via theme engine
Execution
Trigger template render to execute PHP
Persist
Run arbitrary OS commands as web user
Impact
Read configs and install webshell for persistence

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Mautic account that holds permission to create or upload themes (PR:L in the CVSS vector), and the attacker must be able to reach the Mautic web interface over the network - no user interaction by another victim is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS:3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H yields 9.9, reflecting network reach, low complexity, low-privilege authenticated abuse, no user interaction, and a changed scope with full CIA impact - appropriate given that an authenticated theme operator can escape Mautic's trust boundary into the underlying OS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains or is granted a Mautic account with theme creation/upload rights - for example through credential reuse, a phishing-acquired marketer account that was over-privileged, or a malicious contractor. They craft a Twig template containing an SSTI payload that invokes PHP via the unsandboxed renderer, upload it as part of a theme, and trigger rendering to execute shell commands as the web server user, leading to webshell installation, configuration/secret exfiltration, and lateral movement.
Remediation Patch available per vendor advisory - upgrade Mautic to the fixed release identified in GHSA-9fx4-7cmj-47vg at https://github.com/mautic/mautic/security/advisories/GHSA-9fx4-7cmj-47vg, applying the exact patched version listed there as the primary remediation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Ssti

View all
CVE-2025-47916 CRITICAL POC
10.0 May 16

Invision Community 5.0.0 through 5.0.6 contains an unauthenticated remote code execution vulnerability in the template e

CVE-2024-6386 CRITICAL POC
9.9 Aug 21

Remote code execution in the WPML WordPress multilingual plugin (versions up to and including 4.6.12) allows Contributor

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-28496 CRITICAL POC
9.4 Jun 23

Server-side template injection in FOSSBilling versions prior to 0.8.0 allows authenticated administrators to execute arb

CVE-2025-1040 HIGH POC
8.8 Mar 20

AutoGPT versions 0.3.4 and earlier are vulnerable to a Server-Side Template Injection (SSTI) that could lead to Remote C

CVE-2024-54954 HIGH POC
8.0 Feb 10

OneBlog v2.3.6 was discovered to contain a template injection vulnerability via the template management department. Rate

CVE-2024-8238 HIGH POC
8.1 Mar 20

In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function fro

CVE-2025-46661 CRITICAL
10.0 Apr 28

IPW Systems Metazo through 8.1.3 allows unauthenticated Remote Code Execution because smartyValidator.php enables the at

CVE-2026-45312 CRITICAL
9.9 May 29

Server-side template injection in RAGFlow 0.24.0 and earlier allows any authenticated user to execute arbitrary operatin

CVE-2026-33897 CRITICAL
9.9 Mar 26

Incus system container and virtual machine manager versions prior to 6.23.0 allow authenticated users with instance acce

CVE-2026-34906 CRITICAL
9.3 Jun 02

Remote code execution in Wirtualna Uczelnia (versions up to wu#2016.437.295#0#20260327_105545) allows unauthenticated ne

CVE-2026-54390 CRITICAL
9.3 Jun 18

Server-side template injection in JTL Shop 5.2.0 through 5.7.1 allows remote unauthenticated attackers to inject Smarty

Share

EUVD-2026-33276 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy