CVE-2026-9558

Vulnerability

A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions, allowing arbitrary native Twig functions to be called [1]. This affects all versions prior to 7.1.2, 6.0.9, and 5.2.11, as well as 4.x before 4.4.20 via ELTS [1].

Exploitation

An attacker must be authenticated and have permissions to create or upload themes (the core:themes:create capability) [1]. By uploading a malicious Twig template file, the attacker can inject template expressions that invoke arbitrary PHP functions or execute shell commands through Twig's built-in function and filter constructs, as the theme engine processes the template without sandboxing [1].

Impact

Successful exploitation allows the attacker to achieve Remote Code Execution (RCE) on the hosting server, or to read restricted system files and configuration settings [1]. This can lead to full server compromise, data exfiltration, and lateral movement within the infrastructure.

Mitigation

The vulnerability is fixed in Mautic versions 7.1.2, 6.0.9, 5.2.11, and for 4.x in 4.4.20 via ELTS [1]. No official workarounds exist; as a mitigation, administrators should restrict theme upload and creation permissions to only highly trusted users until upgrading is possible [1].