CVE-2026-9811: Stored XSS in Mautic 7 Project Selector—Vulnerability Guide
Mautic 7 contains a stored cross-site scripting (XSS) flaw in its project selector component. An authenticated user with project creation permissions can inject malicious JavaScript into a project name. When an admin later opens an entity editor that displays that project in a dropdown, the script runs in the admin's browser—potentially allowing the attacker to steal sessions, manipulate data, or access sensitive dashboard information. The vulnerability requires user interaction (admin opening the editor) and valid authentication to exploit, making it a medium-risk issue that is not currently tracked as actively exploited in the wild.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
A stored Cross-Site Scripting (XSS) vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields. An authenticated user with permissions to create projects can exploit this to store a malicious script payload in the project's name. When another administrative user subsequently opens an entity editor containing the project selector, the injected script executes within the context of their active browser session. This could allow an attacker to hijack the session, perform unauthorized state coordination, or access organizational data within the dashboard.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient output encoding in the project selector's AJAX-powered dropdown rendering. Mautic 7 retrieves project names via AJAX and inserts them directly into DOM option elements without sanitization. An attacker authenticated with project creation privileges can craft a project name containing script tags or event handlers (e.g., <img src=x onerror='malicious code'>). When another user with administrative privileges renders an entity editor containing the project selector, the unsanitized project name is parsed as HTML, and the embedded script executes within the admin's authenticated session context. This is classified as stored XSS because the payload persists in the database and triggers every time an admin interacts with that project selector.
Business impact
A successful exploit could compromise administrative user sessions, enabling attackers to perform unauthorized actions such as modifying system configurations, extracting organizational data from the Mautic dashboard, or creating backdoor user accounts. The attack chain requires two separate user actions (attacker creates a malicious project; admin later opens an editor), but the stored nature means the threat remains persistent until the malicious project is deleted. For organizations using Mautic for marketing automation and CRM functions, compromised admin accounts could lead to unauthorized customer data access, campaign manipulation, or credential harvesting.
Affected systems
Mautic version 7 is confirmed affected. The project selector component is a core UI element used whenever administrators associate projects with entities (campaigns, leads, segments, or other system objects), making the exposure broad across typical Mautic deployments. Older Mautic versions may have different implementations; confirmation of affected versions beyond 7 requires consultation of vendor advisories. All instances are vulnerable regardless of deployment model (self-hosted or SaaS) if running the affected version.
Exploitability
Exploitation requires valid authentication (attacker must be a Mautic user) and permissions to create projects—a privilege typically granted to marketing managers or system administrators in standard Mautic setups. However, the barrier is moderate; many organizations grant broad project creation rights. The actual trigger requires a secondary action: an administrative user must open an entity editor containing the malicious project in the dropdown. This UI-driven interaction is not guaranteed, but in active Mautic environments where admins regularly manage projects and entities, the likelihood is reasonable. No special network access or complex attack techniques are needed beyond basic XSS payload crafting. The CVSS score of 5.4 (MEDIUM) reflects the requirement for authentication and user interaction, offset by the high potential for session hijacking or privilege abuse.
Remediation
Organizations must update Mautic to a patched version as soon as it becomes available from the vendor. As an interim control, restrict project creation permissions to a minimal set of trusted administrators, and review existing project names for suspicious content (unusual characters, script-like syntax). Educate administrative staff to avoid clicking unfamiliar project names or entity editors from untrusted sources. Web application firewalls (WAF) configured to block reflected/stored XSS patterns in project names may provide temporary mitigation, though this is not a substitute for patching.
Patch guidance
Watch for a Mautic security update addressing CVE-2026-9811. Verify the specific patched version number in the official Mautic security advisory before deployment. Patch testing should include verification that project selectors correctly render previously created projects without executing any stored payloads. Automated regression testing of the AJAX project dropdown functionality is recommended. Apply patches to all instances (development, staging, production) in a coordinated rollout to avoid introducing inconsistencies.
Detection guidance
Monitor Mautic application logs and database audit trails for project creation events containing unusual characters, HTML tags, or event handler syntax (e.g., 'onerror=', 'onclick=', '<script'). Correlate these with subsequent entity editor access by high-privilege accounts. Web application firewalls or intrusion detection systems can flag HTTP requests with XSS signatures in project name parameters. Consider periodic security scanning of Mautic project tables using data loss prevention (DLP) or content inspection tools. Inspect browser console errors or JavaScript execution logs on admin workstations for unexpected script execution tied to project selector interactions.
Why prioritize this
Although ranked as MEDIUM severity, this vulnerability merits prompt attention due to the privileged nature of affected users (admins) and the persistent, stored attack vector. Unlike reflected XSS, stored XSS can lie dormant and compromise multiple admin sessions over time. The combination of session hijacking potential and organizational data access risk elevates practical impact. Prioritize patching in environments where Mautic handles sensitive customer data or is tightly integrated with identity systems. It is not yet listed in the Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation is not currently documented, but the straightforward exploitation path warrants treating it as a likely future target.
Risk score, explained
The CVSS 3.1 score of 5.4 (MEDIUM) reflects: Network-based attack vector (AV:N), Low attack complexity (AC:L), requirement for Low privilege level (PR:L—authenticated user status), and user interaction needed (UI:R—admin must open the editor). The impact scope is changed (S:C) because the script executes in an administrative context with broader system access than the project creator. Confidentiality and integrity are degraded (C:L, I:L) due to potential session hijacking and unauthorized actions, but availability is not impacted (A:N). Organizations handling high-value data should treat this as a priority despite the MEDIUM label.
Frequently asked questions
Can an attacker exploit this without a valid Mautic account?
No. The attacker must be an authenticated Mautic user with permissions to create projects. However, organizations with open registration or generous permission models may face lower barriers. Restrict project creation privileges to reduce exposure.
Does the malicious project name execute immediately when created, or only when viewed?
Only when viewed. The payload is stored in the database inert. It executes only when an administrative user opens an entity editor containing the project selector dropdown and the browser renders the unsanitized project name. This delayed trigger means the compromise may go unnoticed for some time.
What data could an attacker access if they hijack an admin session?
Depends on the compromised admin's role, but typically includes all Mautic entities (campaigns, leads, contacts, segments), configuration settings, user accounts, and integration credentials. In organizations using Mautic for CRM, this could expose customer personal data, transaction history, or email addresses.
Is there a temporary workaround before a patch is available?
No perfect workaround exists. Best practices include minimizing project creation permissions, auditing existing project names for suspicious content, and restricting admin access to trusted networks or VPNs. However, only a patched version fully eliminates the vulnerability.
This analysis is based on publicly disclosed vulnerability data and vendor advisories current as of the publication date. Specific patch versions and timelines are not confirmed here; verify against official Mautic security notices before patching. This document does not constitute legal, compliance, or liability advice. Organizations should conduct independent risk assessments tailored to their deployment, data sensitivity, and regulatory obligations. SEC.co makes no warranty regarding the completeness or accuracy of derived impact estimates. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1