A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.
Mautic renders user-submitted Twig templates without applying a sandbox mechanism or restrictions on allowed functions. An authenticated user with permissions to create or upload themes can craft a malicious template containing Twig directives that execute arbitrary system commands. The platform processes such a template on the server side, resulting in the execution of embedded code in the context of the application process.
An attacker can gain full control of the server through Remote Code Execution (RCE) or obtain unauthorized access to protected system files and configuration data, including potentially credentials for databases and other services.
Apply patches available from the vendor according to references (https://github.com/mautic/mautic/security/advisories/GHSA-9fx4-7cmj-47vg). Until updates are applied, it is recommended to restrict permissions for creating and uploading themes exclusively to trusted administrators.
Mautic — versions indicated in vendor references (advisory GHSA-9fx4-7cmj-47vg). The vulnerability affects installations where authenticated users have permissions to create or upload themes.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H