Description
A stored Cross-Site Scripting (XSS) vulnerability exists in the Projects component of Mautic 7. When displaying project tags and popovers on administrative detail views (such as campaigns, emails, or forms), user-supplied project names are rendered without proper sanitization. An authenticated user with permissions to create or edit projects can exploit this to inject malicious script payloads. When an administrative user views an entity associated with a compromised project and hovers over its tag, the injected script executes within the context of their active browser session. This could allow an attacker to perform administrative actions on behalf of the victim, alter system configurations, or exfiltrate sensitive data.
Published: 2026-05-29
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored Cross‑Site Scripting flaw resides in the Projects component of Mautic 7. Project names supplied by an authenticated user with create or edit rights are displayed without proper sanitization on administrative detail views. If a malicious script is injected, the code runs when an administrator hovers over a project tag. This can allow the attacker to perform administrative actions, modify system configuration, or exfiltrate data within the victim’s browser session.

Affected Systems

The issue affects the Mautic 7 project management module. Any instance running Mautic 7 that allows users to create or edit projects is vulnerable until corrected.

Risk and Exploitability

The CVSS score of 7.6 indicates a medium‑to‑high severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited knowledge of active exploitation. The likely exploit requires an authenticated user with project creation/edit rights to inject script, and an administrator to view the project detail. Once triggered, the script executes with the administrator’s privileges, providing significant impact.

Generated by OpenCVE AI on May 29, 2026 at 12:54 UTC.

Remediation

Vendor Workaround

There are no official workarounds. To mitigate this vulnerability without upgrading, restrict project creation and modification permissions to trusted administrative users.

OpenCVE Recommended Actions

  • Apply the latest Mautic patch that addresses the Projects XSS issue
  • Restrict project creation and modification permissions to a small set of trusted administrative users
  • Disable or delete any projects that contain suspicious characters or known malicious names
  • If an immediate patch is unavailable, monitor administrative user activity and consider disabling the Projects component until remediation can occur

Generated by OpenCVE AI on May 29, 2026 at 12:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 13:15:00 +0000

Type Values Removed Values Added
Title Stored XSS in Mautic 7 Project Names Exposes Administrators

Fri, 29 May 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Mautic
Mautic mautic
Vendors & Products Mautic
Mautic mautic

Fri, 29 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description A stored Cross-Site Scripting (XSS) vulnerability exists in the Projects component of Mautic 7. When displaying project tags and popovers on administrative detail views (such as campaigns, emails, or forms), user-supplied project names are rendered without proper sanitization. An authenticated user with permissions to create or edit projects can exploit this to inject malicious script payloads. When an administrative user views an entity associated with a compromised project and hovers over its tag, the injected script executes within the context of their active browser session. This could allow an attacker to perform administrative actions on behalf of the victim, alter system configurations, or exfiltrate sensitive data.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N'}

Subscriptions

Mautic Mautic
cve-icon MITRE

Status: PUBLISHED

Assigner: Mautic

Published:

Updated: 2026-05-29T14:39:42.198Z

Reserved: 2026-05-28T08:01:21.107Z

Link: CVE-2026-9809

cve-icon Vulnrichment

Updated: 2026-05-29T14:39:39.392Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T12:16:26.917

Modified: 2026-05-29T15:39:34.620

Link: CVE-2026-9809

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T13:00:09Z

Weaknesses