CVE-2026-9558 | THREATINT

Description

A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.

PUBLISHED Reserved 2026-05-26 | Published 2026-05-29 | Updated 2026-05-29 | Assigner Mautic

CRITICAL: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine

Product status

Default status

unaffected

1.3.0 (semver) before 4.4.20

affected

5.0.0 (semver) before 5.2.11

affected

6.0.0 (semver) before 6.0.9

affected

7.0.0 (semver) before 7.1.2

affected

Credits

Onurcan Genç (@onurcangnc) finder

Daniel Zhang (@xfer0) finder

Tuan Do (@Entropt) finder

Patryk Gruszka (@patrykgruszka) remediation reviewer

John Linhart (@escopecz) remediation reviewer

Leuchtfeuer Digital Marketing (@Leuchtfeuer) sponsor

References

github.com/...mautic/security/advisories/GHSA-9fx4-7cmj-47vg

cve.org (CVE-2026-9558)

nvd.nist.gov (CVE-2026-9558)

Download JSON