A stored Cross-Site Scripting (XSS) vulnerability in Mautic 7's project selector component allows authenticated attackers with project creation privileges to inject malicious scripts via unsanitized project names. The vulnerability exists because project names returned through AJAX endpoints are inserted directly into DOM option elements without output encoding. When an administrative user later loads an [truncated]
An authenticated SQL injection vulnerability exists in Mautic's API contact filtering mechanism. The root cause is insufficient recursive sanitization of nested query parameters, allowing an authenticated API user to bypass input filtering and inject arbitrary SQL commands. The vulnerability was published on 2026-05-29 and carries a HIGH severity CVSS 3.1 score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L) [truncated]
