CVE-2026-9558 - Vulnerability Details

- SSTI in Mautic Theme Engine Allows Authenticated Remote Code Execution

Description

A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.

Published: 2026-05-29

Score: 9.9 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A Server‑Side Template Injection flaw in the Mautic theme engine allows users who can create or upload themes to supply arbitrary Twig templates that the platform renders without a sandbox. This unrestrained rendering permits an attacker to execute arbitrary code on the hosting server and to read files and configuration settings beyond the intended access scope. The weakness is classified as CWE‑1336 and carries a CVSS score of 9.9, indicating a high‑severity risk.

Affected Systems

The vulnerability affects the Mautic platform’s theme engine. Specific product or version information is not provided, so all installations of Mautic that deploy the theme engine and allow theme uploads remain potentially vulnerable. Users should verify whether their system permits theme creation or upload by administrators or other privileged users.

Risk and Exploitability

An authenticated user with theme‑upload permissions can trigger the flaw. The lack of a sandbox means the attacker can leverage the Twig engine to run server‑side code, achieving remote code execution or data exfiltration. No exploit probability (EPSS) is available, but the high CVSS score and absence from KEV suggest that it is not yet widely exploited yet remains a serious threat. The attack vector is inferred to be internal, relying on user privileges rather than an external network attack.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

unaffected

Version	Status	Constraints
`1.3.0`	affected	< 4.4.20
`5.0.0`	affected	< 5.2.11
`6.0.0`	affected	< 6.0.9
`7.0.0`	affected	< 7.1.2

No data.

Vendor Product Confidence Versions

Mautic

95%

Version	Status	Scheme	Platform
`—`	affected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

There are no official workarounds. To mitigate this vulnerability without upgrading, restrict theme upload and creation permissions (core:themes:create) to only highly trusted administrators.

OpenCVE Recommended Actions

Implement the official patch or upgrade to the latest Mautic release as soon as it is available.
Restrict the "core:themes:create" permission to only highly trusted administrators, eliminating the ability for general users to upload or create themes.
If theme creation is not required for business operations, disable the theme upload feature entirely to eliminate the attack surface.

Generated by OpenCVE AI on May 29, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00196.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/mautic/mautic/security/advisories/GHSA-9fx4-7cmj-47vg

History

Fri, 29 May 2026 11:45:00 +0000

Type	Values Removed	Values Added
Title		SSTI in Mautic Theme Engine Allows Authenticated Remote Code Execution
First Time appeared		Mautic Mautic mautic
Vendors & Products		Mautic Mautic mautic

Fri, 29 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 29 May 2026 10:30:00 +0000

Type	Values Removed	Values Added
Description		A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.
Weaknesses		CWE-1336
References		https://github.com/mautic/mautic/security/advisories/GHSA-9fx4-7cmj-47vg
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Mautic Mautic

MITRE

Status: PUBLISHED

Assigner: Mautic

Published: 2026-05-29T10:01:36.019Z

Updated: 2026-05-29T10:49:06.099Z

Reserved: 2026-05-26T08:36:52.218Z

Link: CVE-2026-9558

Vulnrichment

Updated: 2026-05-29T10:49:00.571Z

NVD

Status : Deferred

Published: 2026-05-29T11:16:17.980

Modified: 2026-05-29T15:39:34.620

Link: CVE-2026-9558

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T11:30:42Z

Weaknesses

CWE-1336

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object