{"api_version":"1","generated_at":"2026-05-29T16:23:38+00:00","cve":"CVE-2026-9558","urls":{"html":"https://cve.report/CVE-2026-9558","api":"https://cve.report/api/cve/CVE-2026-9558.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-9558","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-9558"},"summary":{"title":"CVE-2026-9558","description":"A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.","state":"PUBLISHED","assigner":"Mautic","published_at":"2026-05-29 11:16:17","updated_at":"2026-05-29 15:39:34"},"problem_types":["CWE-1336","CWE-1336 CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine"],"metrics":[{"version":"3.1","source":"security@mautic.org","type":"Secondary","score":"9.9","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"9.9","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.9,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://github.com/mautic/mautic/security/advisories/GHSA-9fx4-7cmj-47vg","name":"https://github.com/mautic/mautic/security/advisories/GHSA-9fx4-7cmj-47vg","refsource":"security@mautic.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-9558","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-9558","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"There are no official workarounds. To mitigate this vulnerability without upgrading, restrict theme upload and creation permissions (core:themes:create) to only highly trusted administrators.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"Onurcan Genç (@onurcangnc)","lang":"en"},{"source":"CNA","value":"Daniel Zhang (@xfer0)","lang":"en"},{"source":"CNA","value":"Tuan Do (@Entropt)","lang":"en"},{"source":"CNA","value":"Patryk Gruszka (@patrykgruszka)","lang":"en"},{"source":"CNA","value":"John Linhart (@escopecz)","lang":"en"},{"source":"CNA","value":"Leuchtfeuer Digital Marketing (@Leuchtfeuer)","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-9558","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-05-29T10:48:50.985840Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-05-29T10:49:06.099Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://packagist.org","defaultStatus":"unaffected","packageName":"mautic/core","repo":"https://github.com/mautic/mautic","versions":[{"lessThan":"4.4.20","status":"affected","version":"1.3.0","versionType":"semver"},{"lessThan":"5.2.11","status":"affected","version":"5.0.0","versionType":"semver"},{"lessThan":"6.0.9","status":"affected","version":"6.0.0","versionType":"semver"},{"lessThan":"7.1.2","status":"affected","version":"7.0.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Onurcan Genç (@onurcangnc)"},{"lang":"en","type":"finder","value":"Daniel Zhang (@xfer0)"},{"lang":"en","type":"finder","value":"Tuan Do (@Entropt)"},{"lang":"en","type":"remediation reviewer","value":"Patryk Gruszka (@patrykgruszka)"},{"lang":"en","type":"remediation reviewer","value":"John Linhart (@escopecz)"},{"lang":"en","type":"sponsor","value":"Leuchtfeuer Digital Marketing (@Leuchtfeuer)"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings."}],"value":"A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings."}],"impacts":[{"capecId":"CAPEC-242","descriptions":[{"lang":"en","value":"CAPEC-242 Code Injection"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.9,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1336","description":"CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-29T10:01:36.019Z","orgId":"4e531c38-7a33-45d3-98dd-d909c0d8852e","shortName":"Mautic"},"references":[{"url":"https://github.com/mautic/mautic/security/advisories/GHSA-9fx4-7cmj-47vg"}],"source":{"advisory":"GHSA-9fx4-7cmj-47vg","discovery":"UNKNOWN"},"workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"There are no official workarounds. To mitigate this vulnerability without upgrading, restrict theme upload and creation permissions (core:themes:create) to only highly trusted administrators."}],"value":"There are no official workarounds. To mitigate this vulnerability without upgrading, restrict theme upload and creation permissions (core:themes:create) to only highly trusted administrators."}],"x_generator":{"engine":"Vulnogram 1.0.2"}}},"cveMetadata":{"assignerOrgId":"4e531c38-7a33-45d3-98dd-d909c0d8852e","assignerShortName":"Mautic","cveId":"CVE-2026-9558","datePublished":"2026-05-29T10:01:36.019Z","dateReserved":"2026-05-26T08:36:52.218Z","dateUpdated":"2026-05-29T10:49:06.099Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-29 11:16:17","lastModifiedDate":"2026-05-29 15:39:34","problem_types":["CWE-1336","CWE-1336 CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine"],"metrics":{"cvssMetricV31":[{"source":"security@mautic.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"9558","Ordinal":"1","Title":"CVE-2026-9558","CVE":"CVE-2026-9558","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"9558","Ordinal":"1","NoteData":"A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings.","Type":"Description","Title":"CVE-2026-9558"}]}}}