CVE-2026-9557 | THREATINT

Description

A Server-Side Request Forgery (SSRF) vulnerability exists in Mautic's Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests from the hosting server, enabling internal network reconnaissance or forcing requests to arbitrary internal or external destinations.

PUBLISHED Reserved 2026-05-26 | Published 2026-05-29 | Updated 2026-05-29 | Assigner Mautic

MEDIUM: 6.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Problem types

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Default status

unaffected

4.0.0 (semver) before 4.4.20

affected

5.0.0 (semver) before 5.2.11

affected

6.0.0 (semver) before 6.0.9

affected

7.0.0 (semver) before 7.1.2

affected

Credits

Mateus (@r1beirin) finder

Nguyen Huy Vu Dung (@dungNHVhust) finder

Patryk Gruszka (@patrykgruszka) remediation developer

John Linhart (@escopecz) remediation reviewer

Leuchtfeuer Digital Marketing (@Leuchtfeuer) sponsor

References

github.com/...mautic/security/advisories/GHSA-jmv8-8j9j-rcpc

cve.org (CVE-2026-9557)

nvd.nist.gov (CVE-2026-9557)

Download JSON