{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-9558", "assignerOrgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e", "state": "PUBLISHED", "assignerShortName": "Mautic", "dateReserved": "2026-05-26T08:36:52.218Z", "datePublished": "2026-05-29T10:01:36.019Z", "dateUpdated": "2026-05-29T10:49:06.099Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e", "shortName": "Mautic", "dateUpdated": "2026-05-29T10:01:36.019Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1336", "description": "CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "affected": [{"collectionURL": "https://packagist.org", "packageName": "mautic/core", "repo": "https://github.com/mautic/mautic", "versions": [{"status": "affected", "version": "1.3.0", "lessThan": "4.4.20", "versionType": "semver"}, {"status": "affected", "version": "5.0.0", "lessThan": "5.2.11", "versionType": "semver"}, {"status": "affected", "version": "6.0.0", "lessThan": "6.0.9", "versionType": "semver"}, {"status": "affected", "version": "7.0.0", "lessThan": "7.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings."}]}], "references": [{"url": "https://github.com/mautic/mautic/security/advisories/GHSA-9fx4-7cmj-47vg"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}}], "workarounds": [{"lang": "en", "value": "There are no official workarounds. To mitigate this vulnerability without upgrading, restrict theme upload and creation permissions (core:themes:create) to only highly trusted administrators.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "There are no official workarounds. To mitigate this vulnerability without upgrading, restrict theme upload and creation permissions (core:themes:create) to only highly trusted administrators."}]}], "credits": [{"lang": "en", "value": "Onurcan Gen\u00e7 (@onurcangnc)", "type": "finder"}, {"lang": "en", "value": "Daniel Zhang (@xfer0)", "type": "finder"}, {"lang": "en", "value": "Tuan Do (@Entropt)", "type": "finder"}, {"lang": "en", "value": "Patryk Gruszka (@patrykgruszka)", "type": "remediation reviewer"}, {"lang": "en", "value": "John Linhart (@escopecz)", "type": "remediation reviewer"}, {"lang": "en", "value": "Leuchtfeuer Digital Marketing (@Leuchtfeuer)", "type": "sponsor"}], "source": {"advisory": "GHSA-9fx4-7cmj-47vg", "discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-29T10:48:50.985840Z", "id": "CVE-2026-9558", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-29T10:49:06.099Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-9558", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-05-29T10:48:50.985840Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-29T10:49:00.571Z"}}], "cna": {"source": {"advisory": "GHSA-9fx4-7cmj-47vg", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Onurcan Gen\u00e7 (@onurcangnc)"}, {"lang": "en", "type": "finder", "value": "Daniel Zhang (@xfer0)"}, {"lang": "en", "type": "finder", "value": "Tuan Do (@Entropt)"}, {"lang": "en", "type": "remediation reviewer", "value": "Patryk Gruszka (@patrykgruszka)"}, {"lang": "en", "type": "remediation reviewer", "value": "John Linhart (@escopecz)"}, {"lang": "en", "type": "sponsor", "value": "Leuchtfeuer Digital Marketing (@Leuchtfeuer)"}], "impacts": [{"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/mautic/mautic", "versions": [{"status": "affected", "version": "1.3.0", "lessThan": "4.4.20", "versionType": "semver"}, {"status": "affected", "version": "5.0.0", "lessThan": "5.2.11", "versionType": "semver"}, {"status": "affected", "version": "6.0.0", "lessThan": "6.0.9", "versionType": "semver"}, {"status": "affected", "version": "7.0.0", "lessThan": "7.1.2", "versionType": "semver"}], "packageName": "mautic/core", "collectionURL": "https://packagist.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/mautic/mautic/security/advisories/GHSA-9fx4-7cmj-47vg"}], "workarounds": [{"lang": "en", "value": "There are no official workarounds. To mitigate this vulnerability without upgrading, restrict theme upload and creation permissions (core:themes:create) to only highly trusted administrators.", "supportingMedia": [{"type": "text/html", "value": "There are no official workarounds. To mitigate this vulnerability without upgrading, restrict theme upload and creation permissions (core:themes:create) to only highly trusted administrators.", "base64": false}]}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.", "supportingMedia": [{"type": "text/html", "value": "A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e", "shortName": "Mautic", "dateUpdated": "2026-05-29T10:01:36.019Z"}}}, "cveMetadata": {"cveId": "CVE-2026-9558", "state": "PUBLISHED", "dateUpdated": "2026-05-29T10:49:06.099Z", "dateReserved": "2026-05-26T08:36:52.218Z", "assignerOrgId": "4e531c38-7a33-45d3-98dd-d909c0d8852e", "datePublished": "2026-05-29T10:01:36.019Z", "assignerShortName": "Mautic"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings."}], "id": "CVE-2026-9558", "lastModified": "2026-05-29T15:39:34.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security@mautic.org", "type": "Secondary"}]}, "published": "2026-05-29T11:16:17.980", "references": [{"source": "security@mautic.org", "url": "https://github.com/mautic/mautic/security/advisories/GHSA-9fx4-7cmj-47vg"}], "sourceIdentifier": "security@mautic.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1336"}], "source": "security@mautic.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "mautic", "vendor": "mautic"}], "created": "2026-05-29T11:30:42.084357+00:00", "title": "SSTI in Mautic Theme Engine Allows Authenticated Remote Code Execution", "updated": "2026-05-29T11:30:42.378412+00:00", "vendors": ["mautic", "mautic$PRODUCT$mautic"]}