Description
A stored Cross-Site Scripting (XSS) vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields. An authenticated user with permissions to create projects can exploit this to store a malicious script payload in the project's name. When another administrative user subsequently opens an entity editor containing the project selector, the injected script executes within the context of their active browser session. This could allow an attacker to hijack the session, perform unauthorized state coordination, or access organizational data within the dashboard.
Published: 2026-05-29
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored Cross‑Site Scripting flaw exists in Mautic 7’s project selector component. When the application renders project selection menus via AJAX, it injects project names directly into the DOM without sanitization. An authenticated user who can create projects may store a malicious script payload in a project’s name. When another administrative user opens an entity editor containing the project selector, the embedded script runs in the context of that user’s browser session, potentially leading to session hijacking, unauthorized operations, or data exposure.

Affected Systems

The vulnerability affects Mautic 7 installations, specifically the project selector used when associating projects with system entities. No specific patch or version is listed yet; any Mautic 7 instance that allows project creation by users is potentially impacted.

Risk and Exploitability

The CVSS score of 5.4 classifies the issue as medium severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The attacker must be authenticated with project‑creation rights and must convince or wait for another administrative user to load the affected editor. Once the script executes, it can hijack the session or trigger additional unauthorized actions within the user’s active context.

Generated by OpenCVE AI on May 29, 2026 at 12:26 UTC.

Remediation

Vendor Workaround

There are no official workarounds. To mitigate this vulnerability without upgrading, restrict project creation and modification permissions to trusted administrative users.

OpenCVE Recommended Actions

  • Audit installed Mautic versions and apply the vendor’s security patch as soon as it becomes available
  • Restrict project creation and modification permissions to a narrow set of trusted administrators while the issue persists
  • Ensure that project name input is validated and output‑encoded on the server side; consider disabling the ability to edit project names through the UI if immediate remediation is not possible
  • Deploy a web‑application firewall rule that blocks or sanitizes scripting payloads in request parameters targeting the project selector

Generated by OpenCVE AI on May 29, 2026 at 12:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Mautic
Mautic mautic
Vendors & Products Mautic
Mautic mautic

Fri, 29 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description A stored Cross-Site Scripting (XSS) vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields. An authenticated user with permissions to create projects can exploit this to store a malicious script payload in the project's name. When another administrative user subsequently opens an entity editor containing the project selector, the injected script executes within the context of their active browser session. This could allow an attacker to hijack the session, perform unauthorized state coordination, or access organizational data within the dashboard.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Mautic Mautic
cve-icon MITRE

Status: PUBLISHED

Assigner: Mautic

Published:

Updated: 2026-05-29T14:34:13.971Z

Reserved: 2026-05-28T08:07:14.977Z

Link: CVE-2026-9811

cve-icon Vulnrichment

Updated: 2026-05-29T14:34:09.758Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T12:16:27.030

Modified: 2026-05-29T15:39:34.620

Link: CVE-2026-9811

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T12:30:43Z

Weaknesses