CVE-2026-9559
Description
A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. An authenticated user with campaign import privileges (campaign:imports:create) can write arbitrary PHP files to sensitive system directories. An attacker can exploit this to overwrite critical internal configuration or cache components, resulting in Remote Code Execution (RCE) under the context of the web server user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal flaw in Mautic 7's campaign import ZIP extraction lets authenticated attackers write arbitrary PHP files, achieving RCE.
Vulnerability
A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, the validation logic fails to properly sanitize file paths, allowing them to escape intended temporary directories. Affected versions include Mautic 7.x prior to 7.1.2. Versions 6.x, 5.x, and 4.x are not affected [1].
Exploitation
An attacker must be authenticated and hold the campaign:imports:create privilege. The attacker crafts a ZIP archive containing files with path traversal sequences (e.g., ../). Upon uploading and extraction during a campaign import, the flawed validation permits the file paths to write outside the intended temporary directory, allowing placement of files into sensitive system directories [1].
Impact
Successful exploitation allows the attacker to write arbitrary PHP files to sensitive directories, such as those containing internal configuration or cache components. This can lead to remote code execution (RCE) under the context of the web server user, resulting in full compromise of the application and potentially the underlying server [1].
Mitigation
The vulnerability is fixed in Mautic version 7.1.2, released on an unspecified date [1]. No official workarounds are available; however, administrators can mitigate risk by revoking the campaign:imports:create permission from non-administrative users until upgrading is possible [1].
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.