Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A stored Cross-Site Scripting (XSS) vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields. An authenticated user with permissions to create projects can exploit this to store a malicious script payload in the project's name. When another administrative user subsequently opens an entity editor containing the project selector, the injected script executes within the context of their active browser session. This could allow an attacker to hijack the session, perform unauthorized state coordination, or access organizational data within the dashboard.
AnalysisAI
Stored XSS in Mautic 7's project selector component allows an authenticated low-privileged user to inject malicious script payloads via unsanitized project names rendered through AJAX into DOM option fields. When an administrative user subsequently opens an entity editor containing the affected project selector, the payload executes in the admin's browser session with a changed scope (S:C per CVSS), enabling session hijacking, unauthorized state manipulation, or organizational data exfiltration within the dashboard. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present, though the stored, persistent nature of the payload and low attack complexity make this a credible privilege-escalation pivot for internal threat actors.
Technical ContextAI
Mautic 7 is an open-source marketing automation platform. The vulnerable component is the project selector UI element used when associating projects with system entities. Project names are fetched asynchronously via AJAX and injected into the DOM as option fields without sanitization - a classic sink-based stored XSS pattern. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the failure to HTML-encode or otherwise sanitize attacker-controlled string data before inserting it into the DOM. The CVSS vector's changed scope (S:C) reflects that while the payload is stored under a low-privileged context, it executes in the security context of the administrative user's session - crossing a privilege boundary. No CPE strings were provided, but the advisory targets Mautic 7 specifically.
Affected ProductsAI
The vulnerability affects Mautic 7. The exact minimum or maximum vulnerable version range is not specified in the available data beyond the major version designation. The GitHub Security Advisory GHSA-5hvg-w58j-545m published by the Mautic project at https://github.com/mautic/mautic/security/advisories/GHSA-5hvg-w58j-545m is the primary vendor reference. No CPE strings were supplied to further bound the affected version range.
RemediationAI
Consult the Mautic security advisory at https://github.com/mautic/mautic/security/advisories/GHSA-5hvg-w58j-545m for the official patched release version; a specific fix version was not included in the available intelligence data, so the patch version is not independently confirmed here. As a compensating control pending patch deployment, restrict the 'create project' permission to only fully trusted administrative accounts, which eliminates the low-privilege attacker prerequisite (PR:L) entirely - note this may limit team workflows. Additionally, a Content Security Policy (CSP) header that blocks inline script execution can prevent injected payloads from running even if the XSS sink remains present, though CSP bypass is possible if the policy is permissive. Audit existing project names for suspicious script tags or JavaScript URI patterns as a post-incident check.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33280
GHSA-5hvg-w58j-545m