CRITICAL🇵🇱 Wersja polska

CVE-2026-9558

CVSS 9.9v3.1pub. 2026-05-29

A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.

🤖 AI Analysis
How it works

Mautic renders user-submitted Twig templates without applying a sandbox mechanism or restrictions on allowed functions. An authenticated user with permissions to create or upload themes can craft a malicious template containing Twig directives that execute arbitrary system commands. The platform processes such a template on the server side, resulting in the execution of embedded code in the context of the application process.

Impact

An attacker can gain full control of the server through Remote Code Execution (RCE) or obtain unauthorized access to protected system files and configuration data, including potentially credentials for databases and other services.

Mitigation & patch

Apply patches available from the vendor according to references (https://github.com/mautic/mautic/security/advisories/GHSA-9fx4-7cmj-47vg). Until updates are applied, it is recommended to restrict permissions for creating and uploading themes exclusively to trusted administrators.

Who is affected

Mautic — versions indicated in vendor references (advisory GHSA-9fx4-7cmj-47vg). The vulnerability affects installations where authenticated users have permissions to create or upload themes.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References