πŸ” CVE Alert

CVE-2026-9558

CRITICAL 9.9
CVSS Score
9.9
EPSS Score
0.0%
EPSS Percentile
0th

A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.

CWE CWE-1336
Published May 29, 2026
Last Updated May 29, 2026
Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new critical vulnerabilities are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

References

NVD β†— CVE.org β†— EPSS Data β†—
github.com: https://github.com/mautic/mautic/security/advisories/GHSA-9fx4-7cmj-47vg

Credits

Onurcan Genç (@onurcangnc) Daniel Zhang (@xfer0) Tuan Do (@Entropt) Patryk Gruszka (@patrykgruszka) John Linhart (@escopecz) Leuchtfeuer Digital Marketing (@Leuchtfeuer)