PatchSiren cyber security CVE debrief
CVE-2026-9811 Mautic CVE debrief
A stored Cross-Site Scripting (XSS) vulnerability in Mautic 7's project selector component allows authenticated attackers with project creation privileges to inject malicious scripts via unsanitized project names. The vulnerability exists because project names returned through AJAX endpoints are inserted directly into DOM option elements without output encoding. When an administrative user later loads an entity editor containing the compromised project selector, the stored payload executes in their browser session. The attack requires user interaction and authenticated access, limiting its blast radius, but successful exploitation could lead to session hijacking, unauthorized actions on behalf of victim users, or access to sensitive organizational data within the Mautic dashboard. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) reflects network attack vector, low complexity, low privileges required, user interaction needed, changed scope, and low impacts to confidentiality and integrity with no availability impact.
- Vendor
- Mautic
- Product
- Mautic 7
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running Mautic 7 with multiple administrative users, particularly those where lower-privileged users can create projects that higher-privileged users may later interact with. Security teams monitoring for stored XSS vectors in marketing automation platforms.
Technical summary
The project selector component in Mautic 7 renders selection menus for associating projects with system entities. An authenticated user with project creation permissions can store a script payload in a project name. The application retrieves project names via AJAX and injects them into option fields without sanitization. When another administrative user opens an entity editor containing this selector, the browser executes the injected script in the context of their active session.
Defensive priority
medium
Recommended defensive actions
- Apply patches from the Mautic security advisory when available, prioritizing instances with multi-user administrative access
- Implement Content Security Policy (CSP) headers to mitigate impact of any unpatched XSS vectors in the application
- Review and restrict project creation permissions to only users who require this capability until remediation is confirmed
- Enable HTTP-only and Secure flags on session cookies to reduce session hijacking risk from successful XSS exploitation
- Monitor application logs for anomalous project creation events followed by unusual administrative activity
- Validate that all AJAX endpoints returning data for DOM insertion implement proper output encoding consistent with the injection context
Evidence notes
Vulnerability description sourced from official CVE record and NVD entry. Advisory reference GHSA-5hvg-w58j-545m published by [email protected] confirms vendor acknowledgment. CVSS vector and CWE-79 classification derived from NVD source metadata. Vendor field marked unknown in source data with review flag set; product identified as Mautic 7 from CVE description text.
Official resources
-
CVE-2026-9811 CVE record
CVE.org
-
CVE-2026-9811 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29T12:16:27.030Z