Packagist (Composer) package
mautic/core
pkg:composer/mautic/core
Vulnerabilities (49)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-3105 | — | >= 2.10.0, < 5.2.10 | 5.2.10 | Feb 24, 2026 | SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not s | ||
| CVE-2025-13828 | Cri | — | >= 4.0.0, < 4.4.18 | 4.4.18 | Dec 2, 2025 | SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain | |
| CVE-2025-9824 | Med | 5.9 | >= 4.4.0, < 4.4.17 | 4.4.17 | Sep 3, 2025 | ImpactThe attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks. PatchesThis vulnerability has been patched, implementing a timing-safe | |
| CVE-2025-9823 | Med | — | >= 4.4.0, < 4.4.17 | 4.4.17 | Sep 3, 2025 | SummaryA Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user’s session. This occurs because user-supplied input is reflected back in the server’s response without proper sanitization or escaping, potentially e | |
| CVE-2025-9822 | Med | 5.5 | >= 4.4.0, < 4.4.17 | 4.4.17 | Sep 3, 2025 | SummaryA user with administrator rights can change the configuration of the mautic application and extract secrets that are not normally available. ImpactAn administrator who usually does not have access to certain parameters, such as database credentials, can disclose them. | |
| CVE-2025-9821 | Low | 2.7 | >= 4.4.0, < 4.4.17 | 4.4.17 | Sep 3, 2025 | SummaryUsers with webhook permissions can conduct SSRF via webhooks. If they have permission to view the webhook logs, the (partial) request response is also disclosed DetailsWhen sending webhooks, the destination is not validated, causing SSRF. ImpactBypass of firewalls to in | |
| CVE-2025-5256 | Med | 5.4 | >= 1.0.0, < 4.4.16 | 4.4.16 | May 28, 2025 | SummaryThis advisory addresses an Open Redirection vulnerability in Mautic's user unlocking endpoint. This vulnerability could be exploited by an attacker to redirect legitimate users to malicious websites, potentially leading to phishing attacks or the delivery of exploit kits. | |
| CVE-2024-47057 | Med | 5.3 | >= 1.0.0, < 4.4.16 | 4.4.16 | May 28, 2025 | SummaryThis advisory addresses a security vulnerability in Mautic related to the "Forget your password" functionality. This vulnerability could be exploited by unauthenticated users to enumerate valid usernames. User Enumeration via Timing Attack: A user enumeration vulnerabilit | |
| CVE-2024-47055 | — | >= 5.0.0-alpha, < 5.2.6 | 5.2.6 | May 28, 2025 | SummaryThis advisory addresses a security vulnerability in Mautic related to the segment cloning functionality. This vulnerability allows any authenticated user to clone segments without proper authorization checks. Insecure Direct Object Reference (IDOR) / Missing Authorization | ||
| CVE-2025-5257 | Med | 6.5 | >= 4.0.0, < 4.4.16 | 4.4.16 | May 28, 2025 | SummaryThis advisory addresses a security vulnerability in Mautic where unpublished page previews could be accessed by unauthenticated users and potentially indexed by search engines. This could lead to the unintended disclosure of draft content or sensitive information. Unautho | |
| CVE-2024-47056 | Med | 5.1 | >= 4.4.0, < 4.4.16 | 4.4.16 | May 28, 2025 | SummaryThis advisory addresses a security vulnerability in Mautic where sensitive .env configuration files may be directly accessible via a web browser. This exposure could lead to the disclosure of sensitive information, including database credentials, API keys, and other critic | |
| CVE-2024-47051 | — | < 5.2.3 | 5.2.3 | Feb 26, 2025 | This advisory addresses two critical security vulnerabilities present in Mautic versions before 5.2.3. These vulnerabilities could be exploited by authenticated users. * Remote Code Execution (RCE) via Asset Upload: A Remote Code Execution vulnerability has been identified in | ||
| CVE-2024-47053 | — | >= 1.0.1, < 5.2.3 | 5.2.3 | Feb 26, 2025 | This advisory addresses an authorization vulnerability in Mautic's HTTP Basic Authentication implementation. This flaw could allow unauthorized access to sensitive report data. * Improper Authorization: An authorization flaw exists in Mautic's API Authorization implementation | ||
| CVE-2022-25773 | — | < 5.2.3 | 5.2.3 | Feb 26, 2025 | This advisory addresses a file placement vulnerability that could allow assets to be uploaded to unintended directories on the server. * Improper Limitation of a Pathname to a Restricted Directory: A vulnerability exists in the asset upload functionality that allows users to | ||
| CVE-2022-25770 | — | >= 1.0.0-beta3, < 4.4.13 | 4.4.13 | Sep 18, 2024 | Mautic allows you to update the application via an upgrade script. The upgrade logic isn't shielded off correctly, which may lead to vulnerable situation. This vulnerability is mitigated by the fact that Mautic needs to be installed in a certain way to be vulnerable. | ||
| CVE-2024-47059 | — | >= 5.1.0, < 5.1.1 | 5.1.1 | Sep 18, 2024 | When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak. However when an incorrect username is provided alongside with a weak password, the application responds with ’Invalid credentials’ notifica | ||
| CVE-2021-27917 | — | >= 1.0.0-beta4, < 4.4.13 | 4.4.13 | Sep 18, 2024 | Prior to this patch, a stored XSS vulnerability existed in the contact tracking and page hits report. | ||
| CVE-2024-47050 | — | >= 2.6.0, < 4.4.13 | 4.4.13 | Sep 18, 2024 | Prior to this patch being applied, Mautic's tracking was vulnerable to Cross-Site Scripting through the Page URL variable. | ||
| CVE-2024-47058 | — | >= 5.0.0-alpha, < 5.1.1 | 5.1.1 | Sep 18, 2024 | With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal sensitive information from the user's current session. | ||
| CVE-2022-25768 | — | >= 1.1.3, < 4.4.13 | 4.4.13 | Sep 18, 2024 | The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of t |
- CVE-2026-3105Feb 24, 2026affected >= 2.10.0, < 5.2.10fixed 5.2.10
SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities. A vulnerability exists in the query construction for the Contact Activity timeline where the parameter responsible for determining the sort direction was not s
- affected >= 4.0.0, < 4.4.18fixed 4.4.18
SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain
- affected >= 4.4.0, < 4.4.17fixed 4.4.17
ImpactThe attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks. PatchesThis vulnerability has been patched, implementing a timing-safe
- affected >= 4.4.0, < 4.4.17fixed 4.4.17
SummaryA Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user’s session. This occurs because user-supplied input is reflected back in the server’s response without proper sanitization or escaping, potentially e
- affected >= 4.4.0, < 4.4.17fixed 4.4.17
SummaryA user with administrator rights can change the configuration of the mautic application and extract secrets that are not normally available. ImpactAn administrator who usually does not have access to certain parameters, such as database credentials, can disclose them.
- affected >= 4.4.0, < 4.4.17fixed 4.4.17
SummaryUsers with webhook permissions can conduct SSRF via webhooks. If they have permission to view the webhook logs, the (partial) request response is also disclosed DetailsWhen sending webhooks, the destination is not validated, causing SSRF. ImpactBypass of firewalls to in
- affected >= 1.0.0, < 4.4.16fixed 4.4.16
SummaryThis advisory addresses an Open Redirection vulnerability in Mautic's user unlocking endpoint. This vulnerability could be exploited by an attacker to redirect legitimate users to malicious websites, potentially leading to phishing attacks or the delivery of exploit kits.
- affected >= 1.0.0, < 4.4.16fixed 4.4.16
SummaryThis advisory addresses a security vulnerability in Mautic related to the "Forget your password" functionality. This vulnerability could be exploited by unauthenticated users to enumerate valid usernames. User Enumeration via Timing Attack: A user enumeration vulnerabilit
- CVE-2024-47055May 28, 2025affected >= 5.0.0-alpha, < 5.2.6fixed 5.2.6
SummaryThis advisory addresses a security vulnerability in Mautic related to the segment cloning functionality. This vulnerability allows any authenticated user to clone segments without proper authorization checks. Insecure Direct Object Reference (IDOR) / Missing Authorization
- affected >= 4.0.0, < 4.4.16fixed 4.4.16
SummaryThis advisory addresses a security vulnerability in Mautic where unpublished page previews could be accessed by unauthenticated users and potentially indexed by search engines. This could lead to the unintended disclosure of draft content or sensitive information. Unautho
- affected >= 4.4.0, < 4.4.16fixed 4.4.16
SummaryThis advisory addresses a security vulnerability in Mautic where sensitive .env configuration files may be directly accessible via a web browser. This exposure could lead to the disclosure of sensitive information, including database credentials, API keys, and other critic
- CVE-2024-47051Feb 26, 2025affected < 5.2.3fixed 5.2.3
This advisory addresses two critical security vulnerabilities present in Mautic versions before 5.2.3. These vulnerabilities could be exploited by authenticated users. * Remote Code Execution (RCE) via Asset Upload: A Remote Code Execution vulnerability has been identified in
- CVE-2024-47053Feb 26, 2025affected >= 1.0.1, < 5.2.3fixed 5.2.3
This advisory addresses an authorization vulnerability in Mautic's HTTP Basic Authentication implementation. This flaw could allow unauthorized access to sensitive report data. * Improper Authorization: An authorization flaw exists in Mautic's API Authorization implementation
- CVE-2022-25773Feb 26, 2025affected < 5.2.3fixed 5.2.3
This advisory addresses a file placement vulnerability that could allow assets to be uploaded to unintended directories on the server. * Improper Limitation of a Pathname to a Restricted Directory: A vulnerability exists in the asset upload functionality that allows users to
- CVE-2022-25770Sep 18, 2024affected >= 1.0.0-beta3, < 4.4.13fixed 4.4.13
Mautic allows you to update the application via an upgrade script. The upgrade logic isn't shielded off correctly, which may lead to vulnerable situation. This vulnerability is mitigated by the fact that Mautic needs to be installed in a certain way to be vulnerable.
- CVE-2024-47059Sep 18, 2024affected >= 5.1.0, < 5.1.1fixed 5.1.1
When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak. However when an incorrect username is provided alongside with a weak password, the application responds with ’Invalid credentials’ notifica
- CVE-2021-27917Sep 18, 2024affected >= 1.0.0-beta4, < 4.4.13fixed 4.4.13
Prior to this patch, a stored XSS vulnerability existed in the contact tracking and page hits report.
- CVE-2024-47050Sep 18, 2024affected >= 2.6.0, < 4.4.13fixed 4.4.13
Prior to this patch being applied, Mautic's tracking was vulnerable to Cross-Site Scripting through the Page URL variable.
- CVE-2024-47058Sep 18, 2024affected >= 5.0.0-alpha, < 5.1.1fixed 5.1.1
With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal sensitive information from the user's current session.
- CVE-2022-25768Sep 18, 2024affected >= 1.1.3, < 4.4.13fixed 4.4.13
The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of t
Page 1 of 3