CVE-2026-9809: Stored XSS in Mautic 7 Projects Component
Mautic 7 contains a stored cross-site scripting (XSS) vulnerability in its Projects component. When project names are displayed as tags or in hover-over tooltips on admin pages—like campaign, email, or form management screens—the application fails to sanitize user input. An authenticated attacker with project creation or editing permissions can inject malicious JavaScript into a project name. When an administrator later views any entity tied to that compromised project and hovers over its tag, the attacker's script runs in the admin's browser with their full privileges. This could lead to unauthorized administrative actions, system configuration changes, or data theft.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.6 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
A stored Cross-Site Scripting (XSS) vulnerability exists in the Projects component of Mautic 7. When displaying project tags and popovers on administrative detail views (such as campaigns, emails, or forms), user-supplied project names are rendered without proper sanitization. An authenticated user with permissions to create or edit projects can exploit this to inject malicious script payloads. When an administrative user views an entity associated with a compromised project and hovers over its tag, the injected script executes within the context of their active browser session. This could allow an attacker to perform administrative actions on behalf of the victim, alter system configurations, or exfiltrate sensitive data.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9809 is a stored XSS flaw affecting Mautic 7's Projects component. The vulnerability resides in the rendering of project tags and popovers in administrative detail views. User-supplied project names bypass input validation and output encoding, allowing injection of script payloads. Exploitation requires prior authentication and the ability to create or modify projects—a capability that may be held by multiple user roles depending on Mautic's permission model. The attack vector is network-based with low complexity; the user interaction requirement stems from the need for an admin to hover over a poisoned tag. The scope changes because script execution occurs in the admin context, potentially affecting system-wide operations. CWE-79 (Improper Neutralization of Input During Web Page Generation) is the underlying weakness.
Business impact
A compromised Mautic instance becomes a vector for insider attacks or lateral movement by lower-privileged users. Attackers can impersonate administrators, modify campaigns or email templates, extract subscriber lists, alter system settings, or inject further malicious content into marketing collateral. For organizations using Mautic to manage customer communications or lead nurturing, this represents a threat to brand integrity, customer data confidentiality, and regulatory compliance (e.g., GDPR, CCPA if personal data is accessed). The reliance on user interaction (hovering) and prior authentication limits exposure in strictly controlled environments, but multi-user SaaS or cloud deployments face higher risk.
Affected systems
Mautic 7 installations are affected. The vulnerability exists in the Projects component and manifests when administrative users view entities (campaigns, emails, forms, etc.) that are tagged with or associated with projects. Any Mautic instance with multiple user roles or delegated project management is a potential target. Organizations running Mautic 6 or earlier versions should verify their patch status against Mautic's official security advisories, as the ground-truth data does not specify prior version vulnerability.
Exploitability
Exploitation requires valid Mautic user credentials and project management permissions. The attacker crafts a malicious project name containing JavaScript, saves it, and waits for an administrator to interact with the UI—specifically, hovering over a project tag. No complex exploitation techniques are needed; basic XSS payload construction suffices. The barrier to entry is moderate: an insider with project edit rights, a contractor with limited access, or a user whose credentials were compromised could execute this attack. The reliance on hover interaction and the need for admin involvement reduce the attack surface compared to self-executing stored XSS, but do not eliminate the risk in multi-user environments.
Remediation
Update Mautic 7 to a patched version released by the Mautic project. Organizations should verify patch availability through the official Mautic security advisories and release notes. As an interim control, restrict project creation and editing permissions to the minimum necessary set of trusted users. Review and sanitize any existing projects for suspicious names. Implement Content Security Policy (CSP) headers to limit inline script execution. Monitor administrative user activity and session logs for signs of compromise.
Patch guidance
Check Mautic's official security advisory and GitHub release notes for version 7.x patches that address stored XSS in the Projects component. Apply the patch to all Mautic 7 instances during a maintenance window. Test the patch in a staging environment before production deployment. After patching, clear browser caches and session data to ensure the fixed UI code is loaded. For organizations unable to patch immediately, enforce application-level controls: disable project editing for non-administrative users and monitor project names for suspicious content.
Detection guidance
Search Mautic project names (accessible via database queries or admin API) for common XSS payloads such as <script>, javascript:, onerror=, and onload= patterns. Monitor web server and application logs for POST/PUT requests to project creation or update endpoints originating from unexpected IP ranges or user accounts. Review browser console errors and JavaScript execution logs on administrative workstations for evidence of script injection. Implement input validation rules or Web Application Firewall (WAF) signatures to block project name submissions containing script tags or event handlers. Alert on any project name modifications by non-admin accounts if your RBAC is configured to prevent that.
Why prioritize this
This vulnerability scores 7.6 (HIGH) due to the combination of high integrity impact (ability to modify system state and data), low attack complexity, and a change in scope from the attacker's initial privileges. Although it requires authentication and user interaction, it poses a significant risk in multi-user or SaaS deployments. Organizations using Mautic for critical marketing operations, customer data management, or in compliance-sensitive industries should prioritize patching. The ease of exploitation once a foothold is obtained makes this a candidate for rapid remediation even in environments with limited external exposure.
Risk score, explained
CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N yields a score of 7.6. The network attack vector (AV:N) reflects that Mautic is typically accessed over the web. Low attack complexity (AC:L) reflects the straightforward nature of XSS payload injection. Low privilege requirements (PR:L) indicate that users with basic project management permissions can exploit it. The user interaction requirement (UI:R) stems from the need for an admin to hover over a tag. Changed scope (S:C) elevates severity because the impact extends beyond the attacker's original permission level into administrative functions. Low confidentiality impact (C:L) and high integrity impact (I:H) reflect the primary risk of unauthorized data access and system modification; no availability impact is expected.
Frequently asked questions
Can this vulnerability be exploited without administrator involvement?
No. The payload is stored in the project name, but it only executes when an authenticated administrator hovers over the tag in an administrative detail view. An attacker cannot trigger execution directly; they must wait for admin interaction or socially engineer an admin to hover over the poisoned tag.
Does this affect Mautic users who only create and manage campaigns, or does it require project creation permissions?
Campaign and email creators can be vulnerable if they view projects, but only users with explicit project creation or editing permissions can inject the malicious payload. The risk is highest in installations where project management is delegated to multiple user roles.
What should we do if we suspect our Mautic instance has been compromised via this vulnerability?
First, apply the security patch immediately. Then, audit your Mautic database or admin UI to inspect all project names for suspicious content (script tags, event handlers). Review access logs and session activity for unauthorized administrative actions. Consider forcing a password reset for all administrative users and reviewing any recent configuration or campaign changes.
Is there a workaround if we cannot patch immediately?
Yes. Restrict project creation and editing permissions to a minimal set of highly trusted administrators. Implement a Web Application Firewall (WAF) rule to block HTTP requests with XSS patterns in the project name parameter. These interim controls reduce risk but do not eliminate it; patching is the definitive remedy.
This intelligence is derived from the CVE record published on 2026-05-29 and last modified on 2026-06-17. The information herein is provided for informational purposes and does not constitute legal, compliance, or professional security advice. Organizations should consult their own security and legal teams before taking remediation actions. Patch versions and availability should be verified directly against Mautic's official security advisories and release notes. No exploit code or weaponized proof-of-concept is provided or endorsed. SEC.co makes no warranty regarding the completeness or accuracy of affected product lists and recommends independent verification of vulnerability scope within your environment. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-11262HIGHLink Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-15654HIGHFox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)
- CVE-2025-52759HIGHReflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)
- CVE-2025-67448HIGHNeterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)
- CVE-2026-2374HIGHLogin No Captcha reCAPTCHA WordPress Plugin Stored XSS Vulnerability
- CVE-2026-24751HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)
- CVE-2026-24752HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)