High severity8.3NVD Advisory· Published Aug 30, 2021· Updated Jun 17, 2026
CVE-2021-27911
CVE-2021-27911
Description
Mautic versions before 3.3.4/4.0.0 are vulnerable to an inline JS XSS attack through the contact's first or last name and triggered when viewing a contact's details page then clicking on the action drop down and hovering over the Campaigns button. Contact first and last name can be populated from different sources such as UI, API, 3rd party syncing, forms, etc.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mautic/corePackagist | < 3.3.4 | 3.3.4 |
mautic/corePackagist | >= 4.0.0-alpha1, < 4.0.0 | 4.0.0 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/mautic/mautic/security/advisories/GHSA-72hm-fx78-xwhcnvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-72hm-fx78-xwhcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-27911ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-27911.yamlghsaWEB
News mentions
0No linked articles in our index yet.