VYPR
← All advisories
High severity7.6NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-9809

CVE-2026-9809

Description

A stored Cross-Site Scripting (XSS) vulnerability exists in the Projects component of Mautic 7. When displaying project tags and popovers on administrative detail views (such as campaigns, emails, or forms), user-supplied project names are rendered without proper sanitization. An authenticated user with permissions to create or edit projects can exploit this to inject malicious script payloads. When an administrative user views an entity associated with a compromised project and hovers over its tag, the injected script executes within the context of their active browser session. This could allow an attacker to perform administrative actions on behalf of the victim, alter system configurations, or exfiltrate sensitive data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2026-9809 stores XSS in Mautic 7's Projects component via unsanitized project names, allowing attacker actions when admins hover over tags.

Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in the Projects component of Mautic 7. When displaying project tags and popovers on administrative detail views (such as campaigns, emails, or forms), user-supplied project names are rendered without proper sanitization [1]. Mautic versions 7.0.0 through 7.1.1 are affected; the Projects feature is absent in 6.x, 5.x, and 4.x branches [1].

Exploitation

An authenticated user with permissions to create or edit projects can inject a malicious script payload into a project name. When an administrative user navigates to an entity associated with that compromised project and hovers the cursor over its tag, the script executes in the context of the administrator's browser session [1]. No additional user interaction beyond hovering is required.

Impact

Successful exploitation allows the attacker to perform administrative actions on behalf of the victim, including modifying system configurations or exfiltrating sensitive data. The script runs with the same privileges as the target administrator, fully compromising the affected Mautic instance [1].

Mitigation

The vulnerability is patched in Mautic version 7.1.2 [1]. No official workarounds exist; administrators can mitigate risk by restricting project creation and modification permissions to trusted users only [1].

References
  1. Stored Cross-Site Scripting (XSS) in Projects Component

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Mautic/Mauticinferred2 versions
    = 7.0.0+ 1 more
    • (no CPE)range: = 7.0.0
    • (no CPE)range: 7

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.