Medium severity5.4NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-9811

Description

A stored Cross-Site Scripting (XSS) vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields. An authenticated user with permissions to create projects can exploit this to store a malicious script payload in the project's name. When another administrative user subsequently opens an entity editor containing the project selector, the injected script executes within the context of their active browser session. This could allow an attacker to hijack the session, perform unauthorized state coordination, or access organizational data within the dashboard.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in Mautic 7's project selector allows authenticated users to inject scripts via project names, leading to session hijacking when admins view entity editors.

Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields. An authenticated user with permissions to create projects can exploit this to store a malicious script payload in the project's name. Affected versions include Mautic 7 prior to 7.1.2; Mautic 6.x, 5.x, and 4.x are not affected as they lack the Projects feature [1].

Exploitation

An attacker must be an authenticated user with permissions to create projects. The attacker creates a project with a crafted script as its name. When another administrative user subsequently opens an entity editor that includes the project selector, the injected script executes within the context of their active browser session. No additional user interaction beyond opening the editor is required [1].

Impact

Upon successful exploitation, the attacker can hijack the victim's session, perform unauthorized state coordination, or access organizational data within the dashboard. The script runs in the context of the administrative user's session, potentially allowing further compromise [1].

Mitigation

The vulnerability is fixed in Mautic version 7.1.2 [1]. No official workarounds exist; as a mitigation, restrict project creation and modification permissions to trusted administrative users. Mautic 6.x, 5.x, and 4.x are not affected and do not require patching [1].

References

Stored Cross-Site Scripting (XSS) in Project Option Selector

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Mautic/Mauticinferred2 versions
<=7+ 1 more
- (no CPE)range: <=7
- (no CPE)range: 7

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

github.com/mautic/mautic/security/advisories/GHSA-5hvg-w58j-545mnvd

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000